on Thu, Jul 22, 2004 at 07:24:01PM -0700, Scarletdown ([EMAIL PROTECTED]) wrote: > Paul Stolp wrote: > >I checked in on some bittorrent progress today at lunch, noticed my > >I'm not sure the July 19 log snippet is related, but seems likely. > >Anyways, I've re-downloaded the files the attacker used and removed (for > >posterity.) > >I changed all passwords, IP Address, I found the evidence at about > >12:24. > >Just wanted to share the need for strong passwords. > > I second that recommendation. I always prefer to have passwords with > the following features: > > Minimum of 8 characters > At least 1 capital letter > At least 1 lower case letter > At least 1 number > At least 1 special character > > An example of a good password (though since I'm posting it here, it can > no longer be considered good) is: > > [EMAIL PROTECTED]
My own preference is the 'pwgen' and 'gpw' utilities included in Debian, combined with either the PalmOS "Keyring" utility or the vim "editing encrypted files transparently" hack documented at: http://twiki.iwethey.org/Main/IwtNix Sample pwgen output: Eive3viequ oos5eigooV aeR0ahwein ooNigh1oos Jui6hailel oMaex1ohve xah8shoJai Ahnaotach9 Paiphie9ph pah8ahcaeG Uapahph6ik taiYolu4os aiHahp7jae usheXeec7a Ucei9joong Eteefa6aeg Eethohqu2i neiBaeg4ai Eiri7eagee Pahceibie8 Yeg0iediev eigiji6Gie Ouduo7pahs ya1weuNapo And for gpw: ulingain atailsel stedamen misavisi gasseder uarscroc rismener rectivac icadoura ishoonce What may not be immediately apparent is that the generated passwords are pronounceable in a rough sort of a way. The generation algorithms are tunable to greater randomnes or mnemonic qualities. It's possible to test quality by generating a known number of passwords, sorting and generating a uniq list, and counting the resulting lines. My findings are that even the relatively mnemonic lists are of very high quality. Best tests are on 1m or more paswords, but for a relatively short run of 100,000: $ time gpw 100000 10 | sort | uniq | wc -l 99952 real 0m9.968s user 0m9.730s sys 0m0.050s $ time pwgen 10 100000 | sort | uniq | wc -l 99960 real 1m1.252s user 0m13.550s sys 0m45.360s That's 99.952% and 99.960% uniq, respectively, default settings, ten-character keys. The observent reader will note that the length and count arguments are reversed for these utilities.... Remember this as you use them. For an adult user population, I find that these keys are usually pretty acceptable. Working with children, I'm using longer keys by combining a set of things. Favorites is a good one, and typical keys run 10-15 characters. Cryptanalysts will tell you that sticking to dictionary words reduces the search space markedly, but in balance, it's a good compromise. With a user-base extending into the hundreds, only a handful of the youngest routinely have problems logging in, and I know the keys are not likely used elsewhere. Druthers? I'd echo Greg Folkert's recommendations for key-based authentication, and use a fob-based password generator plus a PIN. Something randomly generated, something you have, something you know. Playing percentages, that's a pretty decent system. Biometrics? The shortage of replacement keys, and perverse incentives to key aquisition (and resultant discomfort) makes me *exceptionally* wary. Color me dubious (and leave me my digits and irises). Peace. -- Karsten M. Self <[EMAIL PROTECTED]> http://linuxmafia.com/~karsten Ceterum censeo, Caldera delenda est. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]