Excerpts from transarc.external.info-afs: 4-Jun-94 Re: Wish these
features wer.. Chris [EMAIL PROTECTED] (5081)
> 1. A lot checkers force users to use something that may be difficult to
> remember.
_Bad_ checkers, you mean.
Excerpts from transarc.external.info-afs: 4-Jun-94 Re: Wish these
features wer.. Chris [EMAIL PROTECTED] (5081)
> The argument then goes that they will resort to writing
> them down on notepads, blotters, etc! As a result, you end up with something
> just as bad as bad password quality
Actually, it's something different from weak passwords. You convert a
network security problem into a problem of physical security. If
someone writes their password down on a card in their wallet, they
actually have pretty good security. I keep my after-hours access card
in my wallet. All who get into our facility can steal all the equipment
they can carry, and all the information, too. If I write my password on
my access card, how much difference does that really make? A little,
admittedly, since someone could swipe my wallet, memorize my password,
and then return the wallet.
On the other hand someone can crack a weak password from Sweden,
without ever having to get near me.
So go with a hybrid approach. A random portion, written down and
stored in a wallet, or even in plain sight in one's office, combined
with a memorable portion (which still shouldn't be derivable from one's
name, for instance), not written anywhere. So for instance, I could
use the last digit of the first 8 entries on the phone list hanging on
my wall plus a word: 27920251-baytzim. That _was_ pretty secure.
Or I could use a couple of credit card numbers instead of the phone
numbers. I carry those with me everywhere I go, and I have a strong
monetary incentive to keep those numbers (plus the PIN) relatively
secret: 40708329free money.
Unfortunately, if something your OS vendor has done prevents you from
using passwords longer than 8-characters, you might have a little
trouble implementing this suggestion.
And of course, reusable passwords are nearing the end of their lifetime.
Excerpts from transarc.external.info-afs: 4-Jun-94 Re: Wish these
features wer.. Chris [EMAIL PROTECTED] (5081)
> 2. If I know the rules, then I can optimize a cracker for those rules.
> (This is an impossible argument, I know.
I'm not sure what you mean by "impossible." One suggestion is that the
rule-space can be made very large by implementing probabilistic rules.
Ie, 80% of the time, require a digit. 60% of the time, require
punctuation. 25% of the time, permit single-case passwords. So even an
optimized cracker has to consider all possible rules.
Part of the resistance to mandatory password content checks is that they
are frequently arbitrarily chosen by adminstrators and forced on users
without their consent or even consideration. There are plenty of
sound algorithms for choosing secure passwords, and plenty of insecure
passwords that will slip by even the most aggressive checker. So
implement your checker on a "points system", and fix a lower limit on
the score which a password must have - say, 5:
+1 point for every character beyond 6
+1 point for every digit (up to 4)
+1 point for every punctuation mark (up to 3)
+1 point for using mixed-case
-0.5 points for every character which appears more than once
-2 points for every word which appears in a dictionary
So if I choose a password made of 3 four-letter words, I get 6 points
for >6 characters, and -6 points for the dictionary entries. If I
chose "qqqqqq" (I confess, I used that password once), I get -2.5
points. "The quick brown fox jumped over the lazy dog." = about 16,
which is probably a few more points than it really deserves. Fiddle
with the constants until you get something you and your users can stand.
Excerpts from transarc.external.info-afs: 4-Jun-94 Re: Wish these
features wer.. Chris [EMAIL PROTECTED] (5081)
> To make matters worse, the powers that be in IBM are insistent that have
> mandatory pw quality checking!
Doesn't that make your job easier? After all, since it's mandatory,
everyone must be required not to circumvent the checks, right? Just
like mandatory "log out when you leave" and mandatory "sign the book
for visitors" and mandatory "keep confidential papers locked up" and so
on?
-- ok. flame away.
