Re: special characters in passwords

Tue, 09 Jan 2007 06:16:50 -0800

On 8 Jan 2007 19:15:46 -0800, in bit.listserv.ibm-main (Message-ID:<[EMAIL PROTECTED]>) [EMAIL PROTECTED] (Paul Gilmartin) wrote: 


By using password rules, rather than choosing randomly, I
defend myself against an intruder who counts on my biasing
my choice toward passwords that violate the rules, at the
cost of increased vulnerability to an intruder who counts
on my obeying the rules.



     If you have no password rules, most people will pick 
a simple word.  If you require at least one digit, most 
people will put it at the beginning or end.  Both are easy 
prey to dictionary attacks.



     If you require a digit in the middle of the password, 
you've complicated the makeup of the dictionary, and 
increased its size.  (Some people will throw a digit into 
the middle of a word and some will throw it in between two 
shorter words.  Of course, there are always a few who pick 
good passwords, regardless of the rules.)



     With a domain of only about 5*(10**12) passwords, you 
can't keep out a determined intruder, but you can 
inconvenience him.  (Lockout after too many bad passwords, 
and auditing password failures will help you.)  The idea is 
to make things sufficiently difficult that the intruder 
will try elsewhere.



     Note that RACF is more secure than many other systems 
with a similarly small password space.  With some systems, 
you can create a dictionary of all encrypted passwords and 
compare them to the password file (if you can get your 
hands on it).  That doesn't work with RACF because the 
password is not encrypted; the password is used as a key to 
encrypt the userid.  Thus, brute force is required on each 
userid to be cracked, rather than once for all userids.



     Note:  I am not a security professional, but I have 
played one at some of my previous jobs.  (My favorite 
variation on that is "I'm not an actor, but I play one on 
TV.")


--
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur "at" intergate "dot" com

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html






















					Reply via email to