Re: [CGUYS] Are Passwords Obsolete?
We have been using CAC's (Common Access Cards) for years. They work as a photo ID as well as for network authentication. Ours contain a mag a strip as well as a smart chip. BTW, we still have a regular password that changes every 120 (?) days for the website through which all our CAC's and the associated accounts are maintained. We sign onto the LAN using a PIN. YMMV Subject: Re: Are Passwords Obsolete? A CAC card (Computer Authorization Card???) is a ROM that plugs into a USB port and is the authentication for Windows/system logon, and everything else. It's been used for a few years now on military networks. No reason it couldn't be extended to civilian uses. CAC may not be entirely correct, but I believe it is. I don't have one. The user carries it around on his person like an ID card. -- My religion consists of a humble admiration of the illimitable superior spirit who reveals himself in the slight details we are able to perceive with our frail and feeble mind. - Albert Einstein (1879 - 1955) * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
It would also seem possible to write code that requires the system to wait, say five seconds, before another attempt at a correct password may be made, thus making a dictionary attack impossibly long. Pre OS X Apple servers would double the delay time each time you entered an incorrect password. I thought this was an elegant solution. * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
I have 3 of these 6 digit RSA randomizers that create same code on the little thingie I have , and another at eTrade. two of them are for eTrade accounts. (one for me, one for my wife). what with swapping accounts, I spend more time logging in than I do drinking any more. could I use a roboform? does rsa or somebody else make randomizer that I could plug into usb port and use? . i looked on both the rsa and the roboform website, and cannot figure out what, how, how much. tg At 05:09 PM 12/29/2007, you wrote: At 12:47 PM 12/29/2007, Tony B wrote: Roboform (http://www.roboform.com) - one for my desktop and one for my flash drive. Not only allows you to use maximum strength passwords, but allows you to enter your own master password with your mouse (to avoid keyloggers that are so common today). I suspect it's only a matter of time before they write a screenreader/mouselogger that will do the same thing as a keylogger. Fred Holmes * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
I'm totally unfamiliar with these things so I can't answer. I wouldn't _think_ there's any kind of compatibility.? It just seems to me like two totally different things. Roboform stores passwords, the generator keeps making new ones. Keep us advised. On Dec 30, 2007 10:47 AM, gerald [EMAIL PROTECTED] wrote: I have 3 of these 6 digit RSA randomizers that create same code on the little thingie I have , and another at eTrade. two of them are for eTrade accounts. (one for me, one for my wife). what with swapping accounts, I spend more time logging in than I do drinking any more. could I use a roboform? does rsa or somebody else make randomizer that I could plug into usb port and use? . i looked on both the rsa and the roboform website, and cannot figure out what, how, how much. * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
On Dec 30, 2007 10:47 AM, gerald [EMAIL PROTECTED] wrote: I have 3 of these 6 digit RSA randomizers that create same code on the little thingie I have , and another at eTrade. two of them are for eTrade accounts. (one for me, one for my wife). what with swapping accounts, I spend more time logging in than I do drinking any more. These are not randomizers. They wouldn't do any good if they created random digits. What they do is create the same set of digits on your device that they do at the site that verifies the digits you enter. could I use a roboform? does rsa or somebody else make randomizer that I could plug into usb port and use? You want a software solution to replace the hardware solution? I think that is unlikely, as it would be less secure to expose how the algorithm is working for you. -- John DeCarlo, My Views Are My Own * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
I have 3 of these 6 digit RSA randomizers that create same code on the little thingie I have , and another at eTrade. two of them are for eTrade accounts. (one for me, one for my wife). what with swapping accounts, I spend more time logging in than I do drinking any more. If one breaks you get locked out of your accounts? Is there a battery that you need to change? Will changing the battery reset the sequence? Can a software glitch reset the sequence? Is it really that hard to figure out the next number in a pseudo-random sequence? I think that can be done with WW II era technology. * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
I suspect it's only a matter of time before they write a screenreader/mouselogger that will do the same thing as a keylogger. These already exist and they work at a distance. The screen display is produced by a string of bytes sent to it serially by the video card. Because it repeats at a known frequency it is easy to pick out from all the other random electronic noise. It is a simple matter to detect the signal and redisplay this string of bytes to see exactly what is on the screen. * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
These are not randomizers. They wouldn't do any good if they created random digits. What they do is create the same set of digits on your device that they do at the site that verifies the digits you enter. These are pseudo-randomizers. They use an algorithm to produce digits that appear random. So if you start multople devices with the same seed number they will all produce the same sequence of pseudo-random numbers. So you have your pseudo-random number generator and there is one at the other end that is is sync with yours. Then I get mine and tweak it until mine is also in sync with yours. * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
On Dec 30, 2007 11:59 AM, Tom Piwowar [EMAIL PROTECTED] wrote: These are not randomizers. They wouldn't do any good if they created random digits. What they do is create the same set of digits on your device that they do at the site that verifies the digits you enter. These are pseudo-randomizers. They use an algorithm to produce digits that appear random. So if you start multople devices with the same seed number they will all produce the same sequence of pseudo-random numbers. So you have your pseudo-random number generator and there is one at the other end that is is sync with yours. Then I get mine and tweak it until mine is also in sync with yours. I guess that is technically correct. All encryption algorithms are technically pseudo-randomizers, because a good encryption algorithm results in pseudo-random numbers with no relation to the original content. Doesn't mean they are easy to crack. You can Google on how long it would take to crack it if it were using a 256-bit key to encrypt with. -- John DeCarlo, My Views Are My Own * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
On Dec 30, 2007 11:42 AM, Tom Piwowar [EMAIL PROTECTED] wrote: I have 3 of these 6 digit RSA randomizers that create same code on the little thingie I have , and another at eTrade. two of them are for eTrade accounts. (one for me, one for my wife). what with swapping accounts, I spend more time logging in than I do drinking any more. If one breaks you get locked out of your accounts? Yes and no. You have to revert to another authentication method. Is there a battery that you need to change? I haven't seen one with a user-accessible battery. Will changing the battery reset the sequence? Perhaps. Can a software glitch reset the sequence? Perhaps. Is it really that hard to figure out the next number in a pseudo-random sequence? I think that can be done with WW II era technology. It's a question of how much time you want to spend on it. Undoubtedly if you recorded enough sequential numbers and spent enough computing time, you could break it. It might take more CPU decades than you want to spend, though. I believe they do something simple like encrypt with a large key and use the least significant 6 or 8 digits. -- John DeCarlo, My Views Are My Own * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
No you can't change the battery you need to get a new one. They are set at the factory and synced to a data base somewhere that checks the out put against what is expected. These things are basically clocks that generate a random looking number for each 30 seconds of time. If you were to write down a number I guess it could be used to ascertain the time the number was generated. I have heard reports that Paypal/verisign footballs give a sequential first digit if you keep pressing them every thirty seconds. There is hope to make these an open id device that would work over a bunch of sites. Paypal defaults to the standard alternate authentication questions if you don't have your device. Another method for this sort of login security sends you a text message with a confirmation code to your cell phone. The basic premise of this is the same as a pin on a bank card- something you know and something you have. -- John Duncan Yoyo ---o) * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
At 01:31 PM 12/30/2007, you wrote: No you can't change the battery you need to get a new one. They are set at the factory and synced to a data base somewhere that checks the out put against what is expected. These things are basically clocks that generate a random looking number for each 30 seconds of time. I have been told that mine last about 3 years. then are replaced. if you were to write down a number I guess it could be used to ascertain the time the number was generated. I have heard reports that Paypal/verisign footballs give a sequential first digit if you keep pressing them every thirty seconds. There is hope to make these an open id device that would work over a bunch of sites. mine have a serial/id number on the back. I call in and register that number for that login. I have not yet tried to use the same device for 2 sites. they do seem to change code at pretty much the same time. i do not see how I could force the code change at paypal, with the unit in my hand, since the unit in my hand has no broadcast abilities. it is only a clock of sorts that kicks out this unique time code every 30(?) or so sec. the two units i currently have in hand seem to be sort of random between each other. 711895 831408 130634 854 421 378558 833565 585790 997123 964811 800750 * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
The Serial number identifies the unit and each is set up with a different pattern of random numbers but they are predictable for each of the units. Web sites that use this system check back with Verisign or whoever to confirm your login number. They explained this in detail on the Security Now podcasts that deal with this. Steve Gibson is pretty paranoid about this stuff and it satisfies him so I feel pretty comfortable with this. On Dec 30, 2007 2:50 PM, gerald [EMAIL PROTECTED] wrote: At 01:31 PM 12/30/2007, you wrote: No you can't change the battery you need to get a new one. They are set at the factory and synced to a data base somewhere that checks the out put against what is expected. These things are basically clocks that generate a random looking number for each 30 seconds of time. I have been told that mine last about 3 years. then are replaced. if you were to write down a number I guess it could be used to ascertain the time the number was generated. I have heard reports that Paypal/verisign footballs give a sequential first digit if you keep pressing them every thirty seconds. There is hope to make these an open id device that would work over a bunch of sites. mine have a serial/id number on the back. I call in and register that number for that login. I have not yet tried to use the same device for 2 sites. they do seem to change code at pretty much the same time. i do not see how I could force the code change at paypal, with the unit in my hand, since the unit in my hand has no broadcast abilities. it is only a clock of sorts that kicks out this unique time code every 30(?) or so sec. the two units i currently have in hand seem to be sort of random between each other. 711895 831408 130634 854 421 378558 833565 585790 997123 964811 800750 * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived -- John Duncan Yoyo ---o) * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
Not until you come up with a better solution. On Dec 29, 2007 9:51 AM, Tom Piwowar [EMAIL PROTECTED] wrote: So isn't all the fuss to force us to make up long, complicated passwords and change them frequently, just a silly waste of time? What they call security theater. * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
Some systems will lock you out after a small number of consecutive failed authentication attempts. Three? Five? Ten? It would also seem possible to write code that requires the system to wait, say five seconds, before another attempt at a correct password may be made, thus making a dictionary attack impossibly long. I don't think requiring frequent change of password is worth much. Sooner or later everyone will have a CAC card, or at least banks will issue them for on-line banking. Fred Holmes At 09:51 AM 12/29/2007, Tom Piwowar wrote: Passwords have to be stored on the computer or network so the OS can verify what is typed in. The secure way to do this is to never store an actual password, but instead a hashed version. So when a password is typed it is hashed by the computer and compared to the stored version. This way there is never a copy of the password that a hacker may find. The hashing programs work only in one direction, so a hashed password can't be unhashed. This can be defeated by a dictionary attack. Every possible combination of characters is hashed and the password-hash pair stored. Then the hacker only has to retrieve the hashed password and look up the real password in the dictionary. This was once hard to do because it took so long to create the dictionary. But today such a dictionary only has to be created once and lookups can easily be made via the Web, often simply Googled. So isn't all the fuss to force us to make up long, complicated passwords and change them frequently, just a silly waste of time? What they call security theater. * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
what is a CAC card?? what is good s/w for changing storing p/w's? Fred Holmes wrote: Some systems will lock you out after a small number of consecutive failed authentication attempts. Three? Five? Ten? It would also seem possible to write code that requires the system to wait, say five seconds, before another attempt at a correct password may be made, thus making a dictionary attack impossibly long. I don't think requiring frequent change of password is worth much. Sooner or later everyone will have a CAC card, or at least banks will issue them for on-line banking. Fred Holmes At 09:51 AM 12/29/2007, Tom Piwowar wrote: Passwords have to be stored on the computer or network so the OS can verify what is typed in. The secure way to do this is to never store an actual password, but instead a hashed version. So when a password is typed it is hashed by the computer and compared to the stored version. This way there is never a copy of the password that a hacker may find. The hashing programs work only in one direction, so a hashed password can't be unhashed. This can be defeated by a dictionary attack. Every possible combination of characters is hashed and the password-hash pair stored. Then the hacker only has to retrieve the hashed password and look up the real password in the dictionary. This was once hard to do because it took so long to create the dictionary. But today such a dictionary only has to be created once and lookups can easily be made via the Web, often simply Googled. So isn't all the fuss to force us to make up long, complicated passwords and change them frequently, just a silly waste of time? What they call security theater. * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
There are at least two good options in Windows. I own two copies of Roboform (http://www.roboform.com) - one for my desktop and one for my flash drive. Not only allows you to use maximum strength passwords, but allows you to enter your own master password with your mouse (to avoid keyloggers that are so common today). The open source (freeware) KeePass (http://keepass.info/) is great for storing passwords, and is getting better all the time at entering them into web forms. CAC cards (http://en.wikipedia.org/wiki/Common_Access_Card) smack more of a national ID card than anything else. I doubt they'll catch on soon, unless maybe Bush declares martial law and outlaws elections next year. On Dec 29, 2007 12:15 PM, Judy Cosler [EMAIL PROTECTED] wrote: what is a CAC card?? what is good s/w for changing storing p/w's? * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
what about fingerprint scanner at the station? Mike On Dec 29, 2007 10:47 AM, Tony B [EMAIL PROTECTED] wrote: There are at least two good options in Windows. I own two copies of Roboform (http://www.roboform.com) - one for my desktop and one for my flash drive. Not only allows you to use maximum strength passwords, but allows you to enter your own master password with your mouse (to avoid keyloggers that are so common today). The open source (freeware) KeePass (http://keepass.info/) is great for storing passwords, and is getting better all the time at entering them into web forms. CAC cards (http://en.wikipedia.org/wiki/Common_Access_Card) smack more of a national ID card than anything else. I doubt they'll catch on soon, unless maybe Bush declares martial law and outlaws elections next year. On Dec 29, 2007 12:15 PM, Judy Cosler [EMAIL PROTECTED] wrote: what is a CAC card?? what is good s/w for changing storing p/w's? * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
Tony B snip CAC cards (http://en.wikipedia.org/wiki/Common_Access_Card) smack more of a national ID card than anything else. I doubt they'll catch on soon, unless maybe Bush declares martial law and outlaws election next year. On Dec 29, 2007 12:15 PM, Judy Cosler [EMAIL PROTECTED] wrote: what is a CAC card?? correct meaning of the acronym, it's used to verify you are you when you go to work. I work as a contractor for the feds and have one. When you remove it from the keyboard, the computer starts a screensaver (you don't get to pick which one) that is password protected via the CAC card. -- Take care | This clown speaks for himself, his job doesn't Wayne D. | supply this, at least not directly I've never seen so damn many Indians. --G.A. Custer * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
I think the paypal football https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside is more likely to catch on as a personal security feature. You log in with your account id, password and the random appearing number. Paypal is a cheap source for these at $5.00 but these are from verisign and function for any business signed up for the Verisign service. There is a good discussion of these on the Security Now podcast episode 103-http://www.grc.com/SecurityNow.htm. The Security Now podcasts for the perfect password system offer a system for a rolling password system that prints out onto a business card sized list of a bunch of passwords that you use sequentially. This would be good to prevent having a password being swiped because they are all use once and appear to be random. On Dec 29, 2007 12:47 PM, Tony B [EMAIL PROTECTED] wrote: There are at least two good options in Windows. I own two copies of Roboform (http://www.roboform.com) - one for my desktop and one for my flash drive. Not only allows you to use maximum strength passwords, but allows you to enter your own master password with your mouse (to avoid keyloggers that are so common today). The open source (freeware) KeePass (http://keepass.info/) is great for storing passwords, and is getting better all the time at entering them into web forms. CAC cards (http://en.wikipedia.org/wiki/Common_Access_Card) smack more of a national ID card than anything else. I doubt they'll catch on soon, unless maybe Bush declares martial law and outlaws elections next year. On Dec 29, 2007 12:15 PM, Judy Cosler [EMAIL PROTECTED] wrote: what is a CAC card?? what is good s/w for changing storing p/w's? * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived -- John Duncan Yoyo ---o) * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
A CAC card (Computer Authorization Card???) is a ROM that plugs into a USB port and is the authentication for Windows/system logon, and everything else. It's been used for a few years now on military networks. No reason it couldn't be extended to civilian uses. CAC may not be entirely correct, but I believe it is. I don't have one. The user carries it around on his person like an ID card. Password safe http://passwordsafe.sourceforge.net/ is freeware. There are lots of similar products out there. One password opens the safe and all usernames and passwords are used by copy/paste. I haven't done extensive research on them. Some come with security suites. Others are stand-alone products. Fred Holmes At 12:15 PM 12/29/2007, Judy Cosler wrote: what is a CAC card?? what is good s/w for changing storing p/w's? Fred Holmes wrote: Some systems will lock you out after a small number of consecutive failed authentication attempts. Three? Five? Ten? It would also seem possible to write code that requires the system to wait, say five seconds, before another attempt at a correct password may be made, thus making a dictionary attack impossibly long. I don't think requiring frequent change of password is worth much. Sooner or later everyone will have a CAC card, or at least banks will issue them for on-line banking. Fred Holmes At 09:51 AM 12/29/2007, Tom Piwowar wrote: Passwords have to be stored on the computer or network so the OS can verify what is typed in. The secure way to do this is to never store an actual password, but instead a hashed version. So when a password is typed it is hashed by the computer and compared to the stored version. This way there is never a copy of the password that a hacker may find. The hashing programs work only in one direction, so a hashed password can't be unhashed. This can be defeated by a dictionary attack. Every possible combination of characters is hashed and the password-hash pair stored. Then the hacker only has to retrieve the hashed password and look up the real password in the dictionary. This was once hard to do because it took so long to create the dictionary. But today such a dictionary only has to be created once and lookups can easily be made via the Web, often simply Googled. So isn't all the fuss to force us to make up long, complicated passwords and change them frequently, just a silly waste of time? What they call security theater. * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List
Re: [CGUYS] Are Passwords Obsolete?
OK, but what's their reliability? I haven't read anything on their performance in actual practice. There's your national ID once they become very reliable. Fred Holmes At 02:20 PM 12/29/2007, mike wrote: what about fingerprint scanner at the station? Mike * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
Re: [CGUYS] Are Passwords Obsolete?
Your SSAN is already a national ID for anyone with even a modicum of financial assets. If banks start offering them, I'll take one. A lot quicker and easier than dealing with passwords. Fred Holmes At 12:47 PM 12/29/2007, Tony B wrote: CAC cards (http://en.wikipedia.org/wiki/Common_Access_Card) smack more of a national ID card than anything else. I doubt they'll catch on soon, unless maybe Bush declares martial law and outlaws elections next year. * == QUICK LIST-COMMAND REFERENCE - Put the following commands in == * == the body of an email send 'em to: [EMAIL PROTECTED] == * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header X-No-Archive: yes will not be archived
