 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 8/11/2011 11:17, Jim Henderson wrote:
> On Thu, 11 Aug 2011 09:09:01 +0100, Invisible wrote:
>> Personally, I think the most /realistic/ way to gauge password strength
>> is to see how long it takes real, commonly-available password crackers
>> to break your password.
> Arguably that's the most accurate way, but not the most realistic way.
However, I know a number of corporations that will try to crack your
password each time you change it and if they can, they'll make you change it
again. You just get an email after a couple days saying "change it or get
locked out."
--
Darren New, San Diego CA, USA (PST)
How come I never get only one kudo?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Tue, 16 Aug 2011 16:05:31 -0700, Darren New wrote:
> On 8/11/2011 11:17, Jim Henderson wrote:
>> On Thu, 11 Aug 2011 09:09:01 +0100, Invisible wrote:
>>> Personally, I think the most /realistic/ way to gauge password
>>> strength is to see how long it takes real, commonly-available password
>>> crackers to break your password.
>
>> Arguably that's the most accurate way, but not the most realistic way.
>
> However, I know a number of corporations that will try to crack your
> password each time you change it and if they can, they'll make you
> change it again. You just get an email after a couple days saying
> "change it or get locked out."
Yeah, that's a different approach - and not necessarily a bad one.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 8/11/2011 3:09 AM, Invisible wrote:
> On 11/08/2011 03:27 AM, Chambers wrote:
>> I thought this was funny, since there was the recent discussion on
>> password strength...
>>
>> http://xkcd.com/936/
>
> People on the XKCD forums have posted links to several online "password
> strength meters". These are mostly of the type where you get a +10 point
> bonus for using uppercase and lowercase, but a -N penalty for every N
> consecutive characters of the same type, but then there's also a score
> for...
>
> Personally, I think the most /realistic/ way to gauge password strength
> is to see how long it takes real, commonly-available password crackers
> to break your password. After all, /that/ is what most unsophisticated
> attackers are going to use against you.
>
This is the truth.
A better philosophy in creating a password IMO is to come up with a
sentence that includes capitalization and punctuation. This makes it
harder for a computer to brute force it, I think.
--
~Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Personally, I think the most /realistic/ way to gauge password strength
>> is to see how long it takes real, commonly-available password crackers
>> to break your password. After all, /that/ is what most unsophisticated
>> attackers are going to use against you.
>>
>
> This is the truth.
>
> A better philosophy in creating a password IMO is to come up with a
> sentence that includes capitalization and punctuation. This makes it
> harder for a computer to brute force it, I think.
As people on the forums have pointed out, a worrying number of things
have a /maximum/ password length. (!) Quite apart from taking a long
time to type a whole sentence, many systems won't allow you to use one
as a password.
(That said, PGP and GPG [yes, those are real product names] don't even
ask for a "password"; they want a "passphrase".)
The method I generally use is to take a complete sentence, but only type
the first letter of each word, plus any punctuation that might be
present. This has the unfortunately result that all my passwords tend to
start with an uppercase letter and end in a full spot. On the other
hand, how many password crackers are going to try "TSHwmygI." as a password?
Well, that rhetorical question is one I'd like to answer. But not on my
employer's VMs, apparently...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible <voi### [at] dev null> wrote:
> As people on the forums have pointed out, a worrying number of things
> have a /maximum/ password length. (!) Quite apart from taking a long
> time to type a whole sentence, many systems won't allow you to use one
> as a password.
For a very long time unixes used only 8 character passwords at most.
(You could write more, but everything after the 8th character was ignored
and could thus be anything.)
I think most modern unixes have lifted this limitation.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 8/17/2011 13:18, Warp wrote:
> For a very long time unixes used only 8 character passwords at most.
The way you do a cryptographic hash is to take a symmetric key algorithm and
use the password as the key and encrypt a constant. The result is a hash.
(Of course, there are other ways, but given (say) DES, this is a way to use
DES as a hash.)
The original unix cyrpt (and later DES) were used this way to generate
password hashes, and that's the reason UNIX tossed more than 8 characters.
Just for general edification. :-)
--
Darren New, San Diego CA, USA (PST)
How come I never get only one kudo?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 17/08/2011 09:18 PM, Warp wrote:
> For a very long time unixes used only 8 character passwords at most.
> (You could write more, but everything after the 8th character was ignored
> and could thus be anything.)
>
> I think most modern unixes have lifted this limitation.
If I'm not very much mistaken, obsolete versions of Windows did
something similar. Like, when you *set* your password, it uses only the
first 14 characters and ignores the rest, but when you *enter* your
password for authentication, it uses all 14 characters...
...in other words, if you set a password containing more than 14
characters, you just locked yourself out of the network. Until you
figure out that by typing only the first 14 characters, it lets you in
again. Like, WTF?
Since Windows XP and higher use Kerberos, a protocol designed by people
who have a clue, I'm guessing this kind of stupidity is gone now...
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Wed, 17 Aug 2011 23:06:14 +0100, Orchid XP v8 wrote:
> On 17/08/2011 09:18 PM, Warp wrote:
>
>> For a very long time unixes used only 8 character passwords at most.
>> (You could write more, but everything after the 8th character was
>> ignored and could thus be anything.)
>>
>> I think most modern unixes have lifted this limitation.
>
> If I'm not very much mistaken, obsolete versions of Windows did
> something similar. Like, when you *set* your password, it uses only the
> first 14 characters and ignores the rest, but when you *enter* your
> password for authentication, it uses all 14 characters...
>
> ...in other words, if you set a password containing more than 14
> characters, you just locked yourself out of the network. Until you
> figure out that by typing only the first 14 characters, it lets you in
> again. Like, WTF?
Yep, you do remember correctly, in fact, I think I wrote something
similar in this very thread. :)
> Since Windows XP and higher use Kerberos, a protocol designed by people
> who have a clue, I'm guessing this kind of stupidity is gone now...
Well, I remember in Windows Server 2000 (with the first release of AD)
that there were circumstances where NTLM authentication would be used
instead of Kerberos, and it wasn't always predictable. So you could
actually end up with a real authentication nightmare in a distributed
environment (which is what I was dealing with) where you might change
your password and then try to authenticate using NTLM, but the PDC
Emulator hadn't received the update (depending on your sync schedules and
such), and since the PDC Emulator was used for NTLM authentication, you
could lock yourself out and not even realise that you were setting the
password using one method and trying to authenticate using the other.
I *hope* they got that sorted out (and would be surprised if they
didn't). We duplicated that in the lab with Microsoft Consulting at the
time....
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Since Windows XP and higher use Kerberos, a protocol designed by people
>> who have a clue, I'm guessing this kind of stupidity is gone now...
>
> Well, I remember in Windows Server 2000 (with the first release of AD)
> that there were circumstances where NTLM authentication would be used
> instead of Kerberos, and it wasn't always predictable. So you could
> actually end up with a real authentication nightmare in a distributed
> environment
Ah yes. I think I recall there may have been some difference between how
Windows NT and Windows XP authenticate. Maybe that's the issue I was
remembering...
I haven't seen this problem in a long time. Then again, I haven't tried
to set a really long password. (And I doubt anybody else has.)
I also have a vague recollection that NTLM didn't like certain
characters in a password. But I don't remember which ones.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Thu, 18 Aug 2011 09:17:50 +0100, Invisible wrote:
>>> Since Windows XP and higher use Kerberos, a protocol designed by
>>> people who have a clue, I'm guessing this kind of stupidity is gone
>>> now...
>>
>> Well, I remember in Windows Server 2000 (with the first release of AD)
>> that there were circumstances where NTLM authentication would be used
>> instead of Kerberos, and it wasn't always predictable. So you could
>> actually end up with a real authentication nightmare in a distributed
>> environment
>
> Ah yes. I think I recall there may have been some difference between how
> Windows NT and Windows XP authenticate. Maybe that's the issue I was
> remembering...
That could be.
> I haven't seen this problem in a long time. Then again, I haven't tried
> to set a really long password. (And I doubt anybody else has.)
>
> I also have a vague recollection that NTLM didn't like certain
> characters in a password. But I don't remember which ones.
Now that you mention it, I think I ran into that as well.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
