On Wed, Jul 05, 2006 at 12:24:34PM +0200, Joachim Schipper wrote:
> Consider five lower-case words chosen from 1024 possibilities each, for
> instance - this has 50 bits of entropy, roughly equivalent to a
> 10-character password based on natural language [1]; a little fuzzing
> and use of capitals
On Tue, Jul 04, 2006 at 10:07:53PM -0400, STeve Andre' wrote:
> On Tuesday 04 July 2006 08:45, Joachim Schipper wrote:
> > On Mon, Jul 03, 2006 at 09:22:59PM -0700, Jeff Simmons wrote:
> > > Well, just to play the devil's advocate here ...
> > >
> > > One of the main functions of any password hygie
On Tuesday 04 July 2006 08:45, Joachim Schipper wrote:
> On Mon, Jul 03, 2006 at 09:22:59PM -0700, Jeff Simmons wrote:
> > Well, just to play the devil's advocate here ...
> >
> > One of the main functions of any password hygiene program 'should' be to
> > prevent users from changing 'mypassword1'
Rod.. Whitworth wrote:
...
Test with well known cracker tools and weep. I have (as root) fed a
slice of master.passwd to John the Ripper with a few nologin users
added using dictionary words of 7 or 8 chars as passwords and after 10
days it had not cracked one of them. I bet it takes less time on
On Tue, Jul 04, 2006 at 12:04:34AM -0400, Chet Uber wrote:
> >>I can't resist pointing out that this is an AWFUL policy. You
> >>will be
> >>remembering peoples passwords, a history of them, which are
> >>very likely to be used on other systems. Thats really bad. I wonder
> >>(at least in the
On Mon, Jul 03, 2006 at 09:22:59PM -0700, Jeff Simmons wrote:
> Well, just to play the devil's advocate here ...
>
> One of the main functions of any password hygiene program 'should' be to
> prevent users from changing 'mypassword1' to 'mypassword2' and then
> 'mypassword3', etc. (Yes, we can
>From man page:
The quality of the password can be enforced by specifying
an external checking program via the ``passwordcheck'' variable
in login.conf(5).
Writing a script to store the ten last hashes in a ``per-user'' file is
trivial and would ensure the check whil
On 2006/07/04 16:53, Steffen Kluge wrote:
> Because the hashes in master.passwd are salted, as you come to realise
> yourself further down in your post.
Storing the old crypted passwords from master.passwd gives
you the following information when someone changes their password:
Typed new password
On Tue, 2006-07-04 at 07:15 +0200, Paul de Weerd wrote:
> | So, you are suggesting using something other than the hash stored in
> | OpenBSD's master.passwd then?
>
> Why exactly would we need another hash ?
Because the hashes in master.passwd are salted, as you come to realise
yourself further
On Tue, Jul 04, 2006 at 02:29:56AM -0400, Chet Uber wrote:
> NP-complete problems are the most difficult complexity problems.
No, NP-complete problems are the most difficult problems _in NP_.
Not to bicker, but the resources needed to use a database of all
possible passwords even with alphanumerics and salted is very finite
-- albeit large.
OpenBSD's blowfish passwords have 128-bits of salt. A table of all 8
character (lower-case only) alphanumeric passwords would require
2^128 *
Not to bicker, but the resources needed to use a database of all
possible
passwords even with alphanumerics and salted is very finite --
albeit large.
OpenBSD blowfish hashes have 16 bytes of salt, so a database of these
will not be feasible for a while.
I agree that for all but those with
On Tue, Jul 04, 2006 at 12:04:11AM -0400, Chet Uber wrote:
> Not to bicker, but the resources needed to use a database of all
> possible passwords even with alphanumerics and salted is very finite
> -- albeit large.
OpenBSD's blowfish passwords have 128-bits of salt. A table of all 8
charact
On Tue, 4 Jul 2006, Chet Uber wrote:
> Not to bicker, but the resources needed to use a database of all possible
> passwords even with alphanumerics and salted is very finite -- albeit large.
OpenBSD blowfish hashes have 16 bytes of salt, so a database of these
will not be feasible for a while.
On Tue, Jul 04, 2006 at 02:15:09PM +1000, Rod.. Whitworth wrote:
| >Ahhh, .. that's what hash's are for; easily recreatable given duplicate
| >input strings, but creating the input string FROM the hash is just about
| >impossible [lacking near infinate resources].
| >
| >Storing hashes in a DB is j
Well, just to play the devil's advocate here ...
One of the main functions of any password hygiene program 'should' be to
prevent users from changing 'mypassword1' to 'mypassword2' and then
'mypassword3', etc. (Yes, we can force complex passwords, but the idea is
the same.)
It's fairly simple
On Mon, 3 Jul 2006 22:25:53 -0500 (CDT), L. V. Lammert wrote:
>On Mon, 3 Jul 2006, STeve Andre' wrote:
>
>> On Monday 03 July 2006 17:37, Jeff Simmons wrote:
>>
>> I can't resist pointing out that this is an AWFUL policy. You will be
>> remembering peoples passwords, a history of them, which are
I can't resist pointing out that this is an AWFUL policy. You
will be
remembering peoples passwords, a history of them, which are
very likely to be used on other systems. Thats really bad. I wonder
(at least in the USA) what would happen to your company if that
data was ever stolen?
--STeve
On Mon, 3 Jul 2006, STeve Andre' wrote:
> On Monday 03 July 2006 17:37, Jeff Simmons wrote:
>
> I can't resist pointing out that this is an AWFUL policy. You will be
> remembering peoples passwords, a history of them, which are
> very likely to be used on other systems. Thats really bad. I wond
On Monday 03 July 2006 17:37, Jeff Simmons wrote:
A client is setting up a password policy, and would like to
prevent users
from reusing a password for a period of time (four changes ninety
days
apart). Is there a way to do this, either within the OS or via a
program in
ports? I've been look
On Mon, 3 Jul 2006, Spruell, Darren-Perot wrote:
> From: [EMAIL PROTECTED]
> > A client is setting up a password policy, and would like to
> > prevent users from
> > reusing a password for a period of time (four changes ninety
> > days apart). Is
> > there a way to do this, either within the
Chris Zakelj <[EMAIL PROTECTED]> writes:
> Date: Mon, 03 Jul 2006 21:09:32 -0400
> From: Chris Zakelj <[EMAIL PROTECTED]>
> To: "STeve Andre'" <[EMAIL PROTECTED]>
> CC: misc@openbsd.org
> Subject: Re: Preventing password reuse
>
> STeve Andre&
On Monday 03 July 2006 17:51, STeve Andre' wrote:
> On Monday 03 July 2006 17:37, Jeff Simmons wrote:
> > A client is setting up a password policy, and would like to prevent users
> > from reusing a password for a period of time (four changes ninety days
> > apart). Is there a way to do this, eithe
STeve Andre' wrote:
> On Monday 03 July 2006 17:37, Jeff Simmons wrote:
>
>> A client is setting up a password policy, and would like to prevent users
>> from reusing a password for a period of time (four changes ninety days
>> apart). Is there a way to do this, either within the OS or via a pro
On Monday 03 July 2006 17:37, Jeff Simmons wrote:
> A client is setting up a password policy, and would like to prevent users
> from reusing a password for a period of time (four changes ninety days
> apart). Is there a way to do this, either within the OS or via a program in
> ports? I've been loo
thing I need very nicely except preventing password reuse.
> Seems to me a better solution would be to take a one-way hash of the new
> password hash out to some kind of a database ...
Very much agree. I think we're going to need something like this (similar to
some of the file integri
From: [EMAIL PROTECTED]
> A client is setting up a password policy, and would like to
> prevent users from
> reusing a password for a period of time (four changes ninety
> days apart). Is
> there a way to do this, either within the OS or via a program
> in ports? I've
> been looking for quit
A client is setting up a password policy, and would like to prevent users from
reusing a password for a period of time (four changes ninety days apart). Is
there a way to do this, either within the OS or via a program in ports? I've
been looking for quite a while and haven't found anything.
--
28 matches
Mail list logo
