passwords

Discussion in 'Computer Security' started by Colonel Flagg, Jan 20, 2004.

  1. 3-6 months ago, either in here or on slashdot, someone posted the URL to
    an article written about password strengths and statistics attempting to
    show that passwords above a certain number of characters was no more
    "secure" than a password of lesser characters.... anyone remember the
    URL or have it bookmarked?




    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jan 20, 2004
    #1
    1. Advertising

  2. Colonel Flagg

    Jim Watt Guest

    On Mon, 19 Jan 2004 21:54:17 -0500, Colonel Flagg
    <> wrote:

    >3-6 months ago, either in here or on slashdot, someone posted the URL to
    >an article written about password strengths and statistics attempting to
    >show that passwords above a certain number of characters was no more
    >"secure" than a password of lesser characters.... anyone remember the
    >URL or have it bookmarked?


    http://www.google.com ;)

    I have had a peek in my archive of a.c.s and can't locate it

    There was a long article by lohkey here
    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Jan 20, 2004
    #2
    1. Advertising

  3. Colonel Flagg

    Mimic Guest

    "Colonel Flagg" <> wrote in
    message news:...
    > 3-6 months ago, either in here or on slashdot, someone posted the URL to
    > an article written about password strengths and statistics attempting to
    > show that passwords above a certain number of characters was no more
    > "secure" than a password of lesser characters.... anyone remember the
    > URL or have it bookmarked?
    >


    I remeber reading in a book that passwords over 8 chars are no more secure
    than those of 8
    when using MD5, but i dont recall what your after :p

    --
    Mimic

    "Without knowledge you have fear. With fear you create your own nightmares."
    "There are 10 types of people in the world. Those that understand Binary,
    and those that dont."
    "He who controls Google, controls the world".
    Mimic, Jan 20, 2004
    #3
  4. Colonel Flagg <> writes:
    > 3-6 months ago, either in here or on slashdot, someone posted the URL to
    > an article written about password strengths and statistics attempting to
    > show that passwords above a certain number of characters was no more
    > "secure" than a password of lesser characters.... anyone remember the
    > URL or have it bookmarked?


    the number of characters in theory are analogous to the number of bits
    in crypto key ... and therefor can be viewed from the stand-point of
    how long will a brute-force attack take. however, if the
    infrastructure supports limit on consecutive bad passwords or other
    defensive methods ... then brute-force attacks can be thwarted (and it
    is no longer necessary to have ever increasing key sizes to make
    repetitive trying of all possible values impractical).

    there is a second order problem .... the whole issue of
    1) frequently changing shared secrets
    2) shared secret paradigm propogated into scores of environments
    3) requirement that unque shared secret be used for every
    different security domain

    overloads typical human memory capability leading to people having to
    write the scores of passwords down. long, complex passwords can
    aggrevate the human memory limitations. many/most of the password
    articles seem to address the issue from purely myopic position that an
    individual never will be in position of dealing with more than a
    single security domain (and never having to remember more than a
    single password that may never change).

    what in fact happens, the threat model can be against the aid used for
    remembering scores of passwords ... not the actual password themselves
    (trojan horses looking to harvest password files).

    an alternative is to go to a two-factor authentication based on
    non-shared-secret (something you have and something you know)
    ..... aka

    1) a hardware token that does a digital signature and can be validated
    by a public key (that has been registered in lieu of a shared-secret
    password). having access to list of registered public keys in one
    security domain wouldn't compromise the use of the same public keys in
    a different security domain ... aka a shared-secret can be used to
    both originate as well as validate an authentication ... while a
    public key can't be used to originate an authentication ... but can
    only be used to validate an authentication

    2) a PIN that controls the operation of the hardware token. both
    shared-secret and hardware token PIN represent "something you know"
    authentication. However, if a shared-secret something you know, is
    divulged, it possibly enabling others to fraudulently use the
    shared-secret to impersonate (the security requirement for unique
    shared-secret for every security domain). A hardware token PIN is also
    a form of "something you know" ... but since it never has to be
    divulged, it can drastically simplify the human memory issues. Instead
    of having scores of shared-secrets ... the person has a single
    hardware token, controlled by a single PIN ... that is never divulged
    and is not a shared-secret.

    It is in the non-shared-secret, hardware token PIN paradigm ... that
    you can start talking about a threat model being against the PIN
    itself, the length of the PIN, etc ... since the human memory issues
    with large numbers of security domains and scores of shared-secrets
    are significantly mitigated.

    Note, a trojan horse that harvests a person's password file ... can
    lead to being able to impersonate that person in large number of
    different situations. Any sort of virus or trojan horse that harvests
    a hardware token PIN still isn't able impersonate w/o also having
    access to the hardware token. From a fraud return-on-investment
    .... the costs for harvesting a hardware token PIN and gaining access
    to the hardware token itself is significantly higher than the cost of
    harvesting password files (or in the electronic commerce scenario, the
    merchant master transaction file). Such hardware token related
    acquisition costs might even be larger than any expected fraud return
    .... making it more attractive for the criminals to go elsewhere.

    and even more topic drift about security proportional to risk:
    http://www.garlic.com/~lynn/2001h.html#61

    lots of past stuff about non-shared-secrets
    http://www.garlic.com/~lynn/aadsm10.htm#bio3 biometrics (addenda)
    http://www.garlic.com/~lynn/aadsm10.htm#bio6 biometrics
    http://www.garlic.com/~lynn/aadsm12.htm#57 eBay Customers Targetted by Credit Card Scam
    http://www.garlic.com/~lynn/aadsm12.htm#60 signing & authentication (was Credit Card Scam)
    http://www.garlic.com/~lynn/aadsm13.htm#14 A challenge (addenda)
    http://www.garlic.com/~lynn/aadsm14.htm#32 An attack on paypal
    http://www.garlic.com/~lynn/aadsm14.htm#35 The real problem that https has conspicuously failed to fix
    http://www.garlic.com/~lynn/aadsm15.htm#36 VS: On-line signature standards
    http://www.garlic.com/~lynn/aadsm15.htm#37 VS: On-line signature standards
    http://www.garlic.com/~lynn/aadsm17.htm#2 Difference between TCPA-Hardware and a smart card (was: example: secure computing kernel needed)
    http://www.garlic.com/~lynn/aepay10.htm#65 eBay Customers Targetted by Credit Card Scam
    http://www.garlic.com/~lynn/aepay11.htm#53 Authentication white paper
    http://www.garlic.com/~lynn/aepay11.htm#56 FINREAD was. Authentication white paper
    http://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and Identiification?
    http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
    http://www.garlic.com/~lynn/2001c.html#30 PKI and Non-repudiation practicalities
    http://www.garlic.com/~lynn/2001c.html#41 PKI and Non-repudiation practicalities
    http://www.garlic.com/~lynn/2001i.html#36 Net banking, is it safe???
    http://www.garlic.com/~lynn/2001k.html#34 A thought on passwords
    http://www.garlic.com/~lynn/2001k.html#58 I-net banking security
    http://www.garlic.com/~lynn/2001k.html#61 I-net banking security
    http://www.garlic.com/~lynn/2002c.html#7 Opinion on smartcard security requested
    http://www.garlic.com/~lynn/2002e.html#36 Crypting with Fingerprints ?
    http://www.garlic.com/~lynn/2002h.html#40 [survey] Possestional Security
    http://www.garlic.com/~lynn/2002n.html#30 Help! Good protocol for national ID card?
    http://www.garlic.com/~lynn/2003e.html#47 Public key and the authority problem
    http://www.garlic.com/~lynn/2003e.html#57 Security in RADIUS (RFC2865)
    http://www.garlic.com/~lynn/2003h.html#55 PKINIT
    http://www.garlic.com/~lynn/2003i.html#2 Two-factor authentication with SSH?
    http://www.garlic.com/~lynn/2003j.html#25 Idea for secure login
    http://www.garlic.com/~lynn/2003m.html#49 public key vs passwd authentication?
    http://www.garlic.com/~lynn/2003m.html#51 public key vs passwd authentication?
    http://www.garlic.com/~lynn/2003o.html#9 Bank security question (newbie question)
    http://www.garlic.com/~lynn/2003o.html#22 securID weakness
    http://www.garlic.com/~lynn/2003o.html#29 Biometric cards will not stop identity fraud
    http://www.garlic.com/~lynn/2003o.html#44 Biometrics
    http://www.garlic.com/~lynn/2003o.html#50 Pub/priv key security
    http://www.garlic.com/~lynn/2003p.html#4 Does OTP need authentication?

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
    Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
    Anne & Lynn Wheeler, Jan 20, 2004
    #4
  5. In article <>, says...
    >
    > Colonel Flagg <> writes:
    > > 3-6 months ago, either in here or on slashdot, someone posted the URL to
    > > an article written about password strengths and statistics attempting to
    > > show that passwords above a certain number of characters was no more
    > > "secure" than a password of lesser characters.... anyone remember the
    > > URL or have it bookmarked?

    >



    so in other words, you have no fucking idea about the URL I requested?





    --
    Colonel Flagg
    http://www.internetwarzone.org/

    Privacy at a click:
    http://www.cotse.net

    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."

    "...I see stupid people."
    Colonel Flagg, Jan 20, 2004
    #5
  6. Colonel Flagg

    Pete Guest

    On Tue, 20 Jan 2004 18:18:50 -0500, whilst in NewsFroup
    alt.computer.security, Colonel Flagg
    <> articulated the following
    sentiments :

    >In article <>, says...
    >>
    >> Colonel Flagg <> writes:
    >> > 3-6 months ago, either in here or on slashdot, someone posted the URL to
    >> > an article written about password strengths and statistics attempting to
    >> > show that passwords above a certain number of characters was no more
    >> > "secure" than a password of lesser characters.... anyone remember the
    >> > URL or have it bookmarked?

    >>

    >
    >
    >so in other words, you have no fucking idea about the URL I requested?


    rofl. Just 'pornolize' it. Makes more sense then..

    Egarders,

    Pete.
    Pete, Jan 21, 2004
    #6
  7. Colonel Flagg

    Alan P Guest

    Ding-a-ling-ling, Feeding time

    "Colonel Flagg" <> wrote in
    message news:...
    > In article <>, says...
    > >
    > > Colonel Flagg <> writes:
    > > > 3-6 months ago, either in here or on slashdot, someone posted the URL

    to
    > > > an article written about password strengths and statistics attempting

    to
    > > > show that passwords above a certain number of characters was no more
    > > > "secure" than a password of lesser characters.... anyone remember the
    > > > URL or have it bookmarked?

    > >

    >
    >
    > so in other words, you have no fucking idea about the URL I requested?
    >
    >
    >
    >
    >
    > --
    > Colonel Flagg
    > http://www.internetwarzone.org/
    >
    > Privacy at a click:
    > http://www.cotse.net
    >
    > Q: How many Bill Gates does it take to change a lightbulb?
    > A: None, he just defines Darkness? as the new industry standard..."
    >
    > "...I see stupid people."
    Alan P, Jan 21, 2004
    #7
  8. "Alan P" <alan@(nojunkplease)alancode.net> writes:
    > Ding-a-ling-ling, Feeding time


    oh well ... a couple candidates?
    http://www.plasticbag.org/archives/2003/08/a_question_about_password_length.shtml
    http://seclists.org/lists/security-basics/2003/Nov/0383.html

    password strength meter
    http://www.securitystats.com/tools/password.php

    might also do google group search for past 18 months on
    something like password strength
    http://groups.google.com/advanced_group_search?hl=en

    some what older
    http://www.securityfocus.com/infocus/1554
    older still
    http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-500.pdf

    and some more topic drift ... old password selection advisory:
    http://www.garlic.com/~lynn/2001d.html#51 OT Re: A beautiful morning in AFM.
    http://www.garlic.com/~lynn/2001d.html#52 OT Re: A beautiful morning in AFM.
    http://www.garlic.com/~lynn/2001d.html#53 April Fools Day

    --
    Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
    Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
    Anne & Lynn Wheeler, Jan 21, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AdminKen

    Wireless LAN with PEAP and Passwords Aironet 1200

    AdminKen, Mar 30, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    7,580
    Jeffrey Chong
    Sep 4, 2006
  2. Michael King

    Change password with 802.1x WinXP and cached Passwords.

    Michael King, Apr 25, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    931
    Michael King
    Apr 25, 2005
  3. =?Utf-8?B?bWlrZQ==?=

    passwords

    =?Utf-8?B?bWlrZQ==?=, Oct 10, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    548
    Clark
    Oct 11, 2005
  4. Axl
    Replies:
    6
    Views:
    1,175
    gmccx
    Sep 29, 2003
  5. Christian Dornes

    Migrate Saved Passwords?

    Christian Dornes, Dec 3, 2003, in forum: Firefox
    Replies:
    3
    Views:
    1,899
    Christian Dornes
    Dec 4, 2003
Loading...

Share This Page