Strong passwords are simpler than you may think.

[GTS225]

Quote:

Originally Posted by hoytedow

chupacabra doughnut bouton schwarz numerals

********************************************
Hoyt......Yer killin' me, here!
Tom......you shoulda saw that one comin'.

(Yeah, I know.....my grade school english teacher would be proud.)

Roger

[liki]

There are also other points that are perhaps more important than the simple entropy included. Against good and well tought systems a remote brute force attack is simply not effective as the system induces a delay between the guess and/or closes the account after repeated failed attempts.

One of the more severe threats is that your password can be eavesdropped if you can be observed typing it. This is an especially severe threat with the pin-code terminals. I try to form my passwords to be fast to type. As I tend to use alphanumeric strings I just type something at random and pick something out of the results.

I recall that written English had only about 1,2-1,3 bits of entropy per character, so these days one should prefer to have atleast 50 characters long sequence of written text. 8 characters long strings of alphanumeric characters are also dangerously close to being inadequate.

[SheetWise]

This has always been, and is still a problem with the programmers -- not the passwords. They are not programming the computer to be an intelligent gatekeeper. How may chances do you think a grocery clerk would give you to "remember" your PIN? If you think 10,000 attempts is appropriate, then you'll "remember" it every time. When systems are compromised by brute force -- it's the fault of the system. OTOH -- if you're using the name of a child or pet, an intruder might guess it in the first couple of attempts. Other than obvious passwords that someone who lived with you or knew you might be able to guess, almost all passwords are secure. The people who programmed the system are the weak link.

This is not a problem with passwords or password security -- it is a problem with programmers. Some of them are idiots. For anyone involved in securing Internet systems, you might want to check how your password system was designed.

When I design a system, I record every login attempt in the customers master record along with the date and time. For every failed login attempt within a 15 minute window I also increment a counter, which is reset only after 15 minutes with no attempts. If the counter reaches 4 -- the user obviously doesn't remember their password. The account is then disabled for 15 minutes, a second counter recording a timeout is incremented, and the user is given the option of requesting their password by email. If the timeout counter is incremented to 3, the password is disabled and an email is sent to the user. With this system it is almost impossible for an account to be accessed by brute force.

Consider a simple four letter password. If the password is not case sensitive, there are 26^4 combinations equating to 456,976 passwords -- if the password is case sensitive there are 52^4 combinations, or 7,311,616. And that's just a four character password not using numbers.

Given that simple policy, a hacker gets exactly 12 guesses before the account is disabled. This not only protects the owner of the account, it informs them that somebody is attempting to access their account -- I also record the IP address of every request. A four character password without numbers is actually pretty strong if the people doing the programming have any concerns about protecting your privacy.

What really ticks me off are systems that require you to use 8+ characters, must use upper and lower case, must include a number, and must be changed every X days. What in the hell are they thinking? These are the passwords that I actually write down -- because I can't remember them. Writing your password down is a real security issue, but if forced to continually change passwords -- most people will (I do). If you're working with a system that continually asks you to change your password, it's a system that is not secure -- and the operators know it. They're openly acknowledging it. The difference between a random four letter case sensitive password and eight upper/lower with a number is the difference between winning the state lottery and the sun not rising tomorrow, assuming your provider has some security features in place. If you can get past ten attempts without an account being timed out, the programmers need some instructions on how to close a window.

[troy2000]

Quote:

Originally Posted by SheetWise

What really ticks me off are systems that require you to use 8+ characters, must use upper and lower case, must include a number, and must be changed every X days. What in the hell are they thinking? These are the passwords that I actually write down -- because I can't remember them. Writing your password down is a real security issue, but if forced to continually change passwords -- most people will...

Amen. I wish you could come say that to the IT bozos at my company. Although I doubt they'd listen to you.

[SheetWise]

Quote:

Originally Posted by troy2000

Amen. I wish you could come say that to the IT bozos at my company. Although I doubt they'd listen to you.

You're right. I've been hired by some very large corporations where the IT staff won't even take instructions from the President or CEO. They can be an independent bunch -- and if they're cynical enough, they can literally make themselves indispensable. None of which makes them "smart" ...