Passwords --was-- Re: [BC] Can't solve it if you don't know about it

Robert Meuser Robertm
Mon Jul 31 10:25:50 CDT 2006 

Email is one thing, but essential on air equipment should auto logon as Bernie 
suggested. This is especially true as one profile is accessed by multiple users. 
In many organizations this means that they are not part of a domain or active 
directory. It may also mean they have restricted access to corporate resources. 
In broadcasting there is a need to separate business based SOX compliant 
policies from vital on air operation.

Cowboy wrote:
> On Sunday 30 July 2006 09:36 pm, Barry Mishkind wrote:
>> At 05:31 PM 7/30/2006, Rockwell Smith wrote
> 
>>> All employees, full or part time, have company e-mail, but....  many 
>>> cannot access it because they seem to get locked out of their 
>>> accounts because they forget their passwords.
>>          Then you don't want to hear about the station
>>          I was in last month where the login and password
>>          (a lengthy line of letters and numbers) were
>>          taped to the studio monitors???
> 
>  This is exactly why lengthy strings of random characters are a
>  really bad idea.
>  Posted passwords are, in effect, no password at all !
>  This is as bad as passwords like "password" or "123go" !
> 
>  Pass-phrases are MUCH better, provided they aren't too obvious.
>  Even better, are apparently random strings derived from a
>  pass-phrase, something like MBWbiO14 derived from
>        My beloved wife's birthday is October 14.
>  This has the double-advantage of reminding one to buy that
>  birthday present !
> 
>  A fair "generic" pasword would be something like the first and
>  last letter of each word in the station slogan, in order, and including
>  at least one real word.
>  
>  These things are easy to remember, yet difficult to decipher if
>  one is not familiar with station operations, or the details of an
>  individual's life.
> 
>  Also good are seemingly random combinations of words.
>  Things like spatula&motorcar
>  Enough characters to be secure, no apparent relationship between
>  the words, and a "random" character separator.
>  Of course, for the personality who's password was her own surname,
>  and she managed to forget it at least once a week, there is no hope !
> 
>  A forgotten password for a critical system, because it was a long string
>  of unguessable random characters for "high" security can be much, much
>  worse than no password at all when that system goes down !
> 
>  Remember, most crackers will try a dictionary attack first.
>  Simply trying the more obvious permutations in common use, like
>  password, PaSsWoRd, Passw*rd, letmein, letmein45, root, toor, etc.
>  followed by a "brute force" ( if they're REALLY determined ) automated
>  generation of so many random characters, usually from 1 to 14 ( because
>  that was a common limit for Microsoft for MANY years ) characters,
>  until they hit one that works.
>  Brute force generators will filter and skip actual words, because it's
>  well known that the common "random" password web sites don't
>  generate real words.
>  Therefore, pass-phrases and common words in uncommon combinations
>  are FAR more secure than long strings of "random" characters. 
>  They won't be in the dictionaries, and it'll take a brute force attack years
>  to hit that "random" combination, *if* it's been reprogrammed to
>  include real words !
>  If you've got a cracker after you that is THAT determined, you've got worse
>  problems than simple net scans, and weekend visitors !
> 
>  Obvious passwords are bad, but strings of characters so complex they 
>  get written down are MUCH worse !
> 
>  In an air studio, where "talent" isn't know for good password retention,
>  I'd be using something like the first and last letter of the names, both
>  first and last names, of each person on the morning show.
>  Use their real names, not their air names, including at least one real word,
>  and it seems that's about as good as it gets.
> 
>  In a data processing center, or the IT department, if one wishes to get REALLY
>  secure, AND one can assume some degree of intelligence on part of the
>  authorized people, passwords that change with time of day, and date, are
>  almost impossible to crack, unless it's too obvious. Even then, a cracker
>  has to know that this happens in that IT center.
> 
>  Simple, yet really secure, passwords are possible, but they are not
>  random character generators !
>

More information about the Broadcast mailing list