On Thu, November 29, 2007 11:44 am, John H. Robinson, IV wrote: > Lan Barnes wrote: >> >> I'm sitting here biting my tongue ... but I would argue that password >> aging, and also multiple logon/passwords, undercut security by forcing >> people to record them. >> >> One good password that you don't share and can remember is better. > > I tend to agree. Now get everyone that uses a computer to have one good > password, never write it down, and never have it leaked. Ever. Very tall > order. > > Now trust Amazon, EBay, Yahoo, Google, Paypall, various web forums, > DragonFable, all other online games, New York Times (the list goes on ad > infinitum) to never leak the password, and trust all your users to > never fall victim to a phishing scam. Trust that all external entities > never have their password database exposed, or their systems breached. > > How long will it take John the Ripper to crack the following password > when encrypted with 3DES (crypt): Xk`Lc3`@ > the 3DES hash is: saHC9KkHK6KEQ > the MD5 hash is: $1$Salthere$82kk8KvCc/DM54Fr4KNVv1 > > That is the longest your password is good for. Yours is probably not > good for that long. They have better computers. And more of them. > > -john > > Maybe I am a bit more paranoid. Maybe I am not paranoid enough.
But Stewart has a good point. There are levels of password. My NYT logon/passwd is, and always has been lanbarnesx/lanbarnesx. Feel free to publish it. (Why the trailing 'x'? Because their screwed-up system wouldn't let me have 'lanbarnes'. I had already used it and forgotten the password.) Likewise, I have a generic password for unimportant on-line stuff, and a different SET of passwords for money sites (ebay, my bank, etc). And while we're on the subject, what's the story on "security questions" like your mother's maiden name or what high school you went to? How hard is that to dig up? And what about SSNs? Are they IDs or passwords/security questions? Sheesh! -- Lan Barnes SCM Analyst Linux Guy Tcl/Tk Enthusiast Biodiesel Brewer -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
