On Sat, Dec 31, 2011 at 5:02 PM, Landon ljrhur...@gmail.com wrote:
A lot of the password reuse is simply adding +1 or something on
the end. Since the base of the password stays the same, couldn't
you just hash the first and second halves of the new and old
passwords separately and compare
2012/1/3 Jonathan Katz jk...@cs.umd.edu
On Mon, 2 Jan 2012, lodewijk andré de la porte wrote:
The reason for regular change is very good. It's that the low-intensity
brute forcing of a password requires a certain stretch of time. Put the
change interval low enough and you're safer from
So I would conjecture, at least in cases like this where users only
login infrequently, that the password change policy every N days
be done away with, or at the very least, we make N something
reasonably long, like 365 or more days.
Kevin, are you suggesting a 50 uses and change it
On Tue, Jan 3, 2012 at 8:07 PM, d...@geer.org wrote:
So I would conjecture, at least in cases like this where users only
login infrequently, that the password change policy every N days
be done away with, or at the very least, we make N something
reasonably long, like 365 or more
On 2 January 2012 03:01, ianG i...@iang.org wrote:
When I was a rough raw teenager doing this, I needed around 2 weeks to
pick up 5 letters from someone typing like he was electrified. The other 3
were crunched in 4 hours on a vax780.
how many samples? (distinct shoulder surf events)
Bernie Cosell ber...@fantasyfarm.com writes:
On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
Yes, ideally people would have a separate, strong password, changed
regularly for every site.
This is the very question I was asking: *WHY* changed regularly? What
threat/vulnerability is
The reason for regular change is very good. It's that the low-intensity
brute forcing of a password requires a certain stretch of time. Put the
change interval low enough and you're safer from them.
We've had someone talk on-list about a significant amount of failed remote
ssh login attempts.
On 2012/1/2 lodewijk andré de la porte lodewijka...@gmail.com:
The reason for regular change is very good. It's that the low-intensity
brute forcing of a password requires a certain stretch of time. Put the
change interval low enough and you're safer from them.
This may make sense in specific
On Sun, Jan 01, 2012 at 03:16:39AM -, John Levine wrote:
Well, on more than a few occasions, I've observed cases
where users have accidentally entered their password into the
username field (either alone, or with the username preprended).
Of course, the login attempt fails and, more to
On Mon, Jan 2, 2012 at 7:12 PM, Craig B Agricola cr...@theagricolas.org wrote:
On Sun, Jan 01, 2012 at 03:16:39AM -, John Levine wrote:
Where's this log? Wherever it is, it's on a system that also has their
actual password.
If I wanted to reverse engineer passwords, this doesn't strike
On Mon, 2 Jan 2012, lodewijk andr?? de la porte wrote:
The reason for regular change is very good. It's that the low-intensity
brute forcing of a password requires a certain stretch of time. Put the
change interval low enough and you're safer from them.
We've had someone talk on-list about a
On Mon, Jan 02, 2012 at 09:40:36PM -0500, Jonathan Katz wrote:
Say passwords are chosen uniformly from a space of size N. If you never
change your password, then an adversary is guaranteed to guess your
password in N attempts, and in expectation guesses your password in N/2
attempts.
If
On 1/01/12 18:09 PM, coderman wrote:
On Sat, Dec 31, 2011 at 9:36 AM, ianGi...@iang.org wrote:
...
When I was a rough raw teenager doing this, I needed around 2 weeks to pick
up 5 letters from someone typing like he was electrified. The other 3 were
crunched in 4 hours on a vax780.
how many
Has anyone ever implemented a system to enforce non-similarity business rules?
Sure. Every month, the first time a user logs in generate a new
random password, show it to him, and tell him to write it down.
You can't force people to invent and memorize an endless stream of
unrelated strong
On 31 Dec 2011 at 15:17, John Levine wrote:
You can't force people to invent and memorize an endless stream of
unrelated strong passwords.
I'm not sure I agree with this phrasing. It is easy to memorize a strong
password -- it just has to be long enough. The problem as I see it is
that way
You can't force people to invent and memorize an endless stream of
unrelated strong passwords.
I'm not sure I agree with this phrasing. It is easy to memorize a strong
password -- it just has to be long enough.
Don't forget endless stream of unrelated. I have some strong
passwords for the
On 1/01/12 03:02 AM, Bernie Cosell wrote:
So what problem _is_ being addressed by requiring passwords to be
changed so often [and so inconveniently]?
As far as I can tell, a lot of password threat modelling was pretty much
settled in the days before the Internet. In those days, the threats
On Dec 31, 2011, at 12:32 06PM, John Levine wrote:
You can't force people to invent and memorize an endless stream of
unrelated strong passwords.
I'm not sure I agree with this phrasing. It is easy to memorize a strong
password -- it just has to be long enough.
Don't forget endless
On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
Yes, ideally people would have a separate, strong password, changed
regularly for every site.
This is the very question I was asking: *WHY* changed regularly? What
threat/vulnerability is addressed by regularly changing your password? I
know
Passwords aren't dead, and despite what IBM says I don't think they're
going away any time soon. But we need new rules and new guidelines
for managing them; the ones from the 1980s don't work anymore.
Yeah. At this point the issues seem to be, in no particular order:
1. Trivially guessable
This is the very question I was asking: *WHY* changed regularly? What
threat/vulnerability is addressed by regularly changing your password?
I finally realized, that's so when the organization gets pwn3d, you
won't have used the stolen passwords anywhere else. Or maybe they
imagine that if
On Sat, Dec 31, 2011 at 4:44 PM, John Levine jo...@iecc.com wrote:
This is the very question I was asking: *WHY* changed regularly? What
threat/vulnerability is addressed by regularly changing your password?
I finally realized, that's so when the organization gets pwn3d, you
won't have used
On Dec 31, 2011, at 4:36 00PM, Bernie Cosell wrote:
On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
Yes, ideally people would have a separate, strong password, changed
regularly for every site.
This is the very question I was asking: *WHY* changed regularly? What
threat/vulnerability
Bernie Cosell ber...@fantasyfarm.com writes:
On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
Yes, ideally people would have a separate, strong password, changed
regularly for every site.
This is the very question I was asking: *WHY* changed regularly? What
threat/vulnerability is addressed by
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 A lot of the password reuse is
simply adding +1 or something on the end. Since the base of the password stays
the same, couldn't you just hash the first and second halves of the new and old
passwords separately and compare each pair? (Or any
The standard rationale is that for any given time interval, there's a
non-zero probability that a given password has been compromised. At
some point, the probability is high enough that it's a real risk.
Sure, but where does that probability come from? (Various tactless
anatomical guesses
On Dec 31, 2011, at 5:09 08PM, John Levine wrote:
The standard rationale is that for any given time interval, there's a
non-zero probability that a given password has been compromised. At
some point, the probability is high enough that it's a real risk.
Sure, but where does that
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512
A lot of the password
reuse is simply adding +1 or something on the end. Since the base of
the password stays the same, couldn't you just hash the first and
second halves of the new and old passwords separately and compare each
pair? (Or any
On 31 Dec 2011 at 21:44, John Levine wrote:
This is the very question I was asking: *WHY* changed regularly? What
threat/vulnerability is addressed by regularly changing your password?
I finally realized, that's so when the organization gets pwn3d, you
won't have used the stolen passwords
On 31 Dec 2011 at 16:59, Steven Bellovin wrote:
On Dec 31, 2011, at 4:36 00PM, Bernie Cosell wrote:
On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
Yes, ideally people would have a separate, strong password, changed
regularly for every site.
This is the very question I was
On 1 Jan 2012 at 11:02, Peter Gutmann wrote:
Bernie Cosell ber...@fantasyfarm.com writes:
On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
Yes, ideally people would have a separate, strong password, changed
regularly for every site.
This is the very question I was asking: *WHY* changed
On Tue, Dec 27, 2011 at 6:12 PM, Steven Bellovin s...@cs.columbia.edu wrote:
[snip]
Here's a heretical thought: require people to change their passwords --
and publish the old ones. That might even be a good idea...
I'm not sure if you were just being facetious here or if you were serious, but
On Sat, Dec 31, 2011 at 9:02 PM, Bernie Cosell ber...@fantasyfarm.com wrote:
On 1 Jan 2012 at 11:02, Peter Gutmann wrote:
Bernie Cosell ber...@fantasyfarm.com writes:
On 31 Dec 2011 at 15:30, Steven Bellovin wrote:
Yes, ideally people would have a separate, strong password, changed
On Sat, Dec 31, 2011 at 9:05 PM, Kevin W. Wall kevin.w.w...@gmail.com wrote:
On Tue, Dec 27, 2011 at 6:12 PM, Steven Bellovin s...@cs.columbia.edu wrote:
[snip]
Here's a heretical thought: require people to change their passwords --
and publish the old ones. That might even be a good idea...
I finally realized, that's so when the organization gets pwn3d, you
won't have used the stolen passwords anywhere else. Or maybe they
imagine that if your password is stolen somewhere else, you won't have
changed all the passwords at the same time.
Really? So you're proposing *cross*site*
From: Kevin W. Wall kevin.w.w...@gmail.com
Boy, the latter sounds like advice that a black hat hacker would give someone
to
ensure simple dictionary attacks are successful. Your dog's name? Really???
Beats the usual method of writing it on a Post-It note where the janitorial
staff can see.
On Sat, Dec 31, 2011 at 9:56 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Sat, Dec 31, 2011 at 9:05 PM, Kevin W. Wall kevin.w.w...@gmail.com wrote:
On Tue, Dec 27, 2011 at 6:12 PM, Steven Bellovin s...@cs.columbia.edu
wrote:
[snip]
Here's a heretical thought: require people to change
On Sat, Dec 31, 2011 at 10:29 PM, Kevin W. Wall kevin.w.w...@gmail.com wrote:
On Sat, Dec 31, 2011 at 9:56 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Sat, Dec 31, 2011 at 9:05 PM, Kevin W. Wall kevin.w.w...@gmail.com
wrote:
On Tue, Dec 27, 2011 at 6:12 PM, Steven Bellovin
The most common password is Password.
There was a time when computer repairmen would come to your
data center to do your systems maintenance for you. They
invariably had a standing password for your, and everybody
else's, gear.
How do I know? The first time I ever experienced a hack was
on
On Sat, Dec 31, 2011 at 10:24 PM, Randall Webmail rv...@insightbb.com wrote:
From: Kevin W. Wall kevin.w.w...@gmail.com
Boy, the latter sounds like advice that a black hat hacker would give someone
to
ensure simple dictionary attacks are successful. Your dog's name? Really???
Beats the
On Sat, Dec 31, 2011 at 10:32 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Sat, Dec 31, 2011 at 10:29 PM, Kevin W. Wall kevin.w.w...@gmail.com
wrote:
On Sat, Dec 31, 2011 at 9:56 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Sat, Dec 31, 2011 at 9:05 PM, Kevin W. Wall
From: Kevin W. Wall kevin.w.w...@gmail.com
Or whatever. The misconception is of course, that this
truly is best practice. Pretty sure that it's some CYA
policy along this line that is driving this. And IT has learned
it's just easy to implement whatever legal requests than to
argue the
On Fri, Dec 30, 2011 at 8:40 PM, Randall Webmail rv...@insightbb.com wrote:
On Tue, 27 Dec 2011 15:54:35 -0500 (EST), Jeffrey Walton noloa...@gmail.com
wrote:
Hi All,
We're bouncing around ways to enforce non-similarity in passwords over
time: password1 is too similar too password2 (and
On Tue, Dec 27, 2011 at 4:11 PM, Steven Bellovin s...@cs.columbia.edu wrote:
Has anyone ever implemented a system to enforce non-similarity business
rules?
Enforcing these rules with any regularity (ie not in response to a
specific known breech) seems like its asking for trouble on the UX
side
I'm assuming that at password change new password policy evaluation
time you have both, the old and new passwords, in which case you can
use Optimal String Alignment Distance for at least that pair of
passwords. If you have only one password you can try a cookbook of
transformations that users
On Tue, Dec 27, 2011 at 03:54:35PM -0500, Jeffrey Walton wrote:
We're bouncing around ways to enforce non-similarity in passwords over
time: password1 is too similar too password2 (and similar to
password3, etc).
I'm not sure its possible with one way functions and block cipher residues.
On Dec 27, 2011, at 5:48 PM, Solar Designer wrote:
On Tue, Dec 27, 2011 at 03:54:35PM -0500, Jeffrey Walton wrote:
We're bouncing around ways to enforce non-similarity in passwords over
time: password1 is too similar too password2 (and similar to
password3, etc).
I'm not sure its possible
47 matches
Mail list logo
