Strong passwords are simpler than you may think.

Discussion in 'General Computing' started by MikeJohns, Aug 26, 2011.

  1. GTS225
    Joined: Jun 2011
    Posts: 42
    Likes: 2, Points: 0, Legacy Rep: 23
    Location: Waterloo, Iowa

    GTS225 Junior Member

    ********************************************
    Hoyt......Yer killin' me, here! :D
    Tom......you shoulda saw that one comin'.

    (Yeah, I know.....my grade school english teacher would be proud.):eek:

    Roger
     
  2. liki
    Joined: Nov 2008
    Posts: 221
    Likes: 12, Points: 18, Legacy Rep: 114
    Location: Finland

    liki Senior Member

    There are also other points that are perhaps more important than the simple entropy included. Against good and well tought systems a remote brute force attack is simply not effective as the system induces a delay between the guess and/or closes the account after repeated failed attempts.

    One of the more severe threats is that your password can be eavesdropped if you can be observed typing it. This is an especially severe threat with the pin-code terminals. I try to form my passwords to be fast to type. As I tend to use alphanumeric strings I just type something at random and pick something out of the results.

    I recall that written English had only about 1,2-1,3 bits of entropy per character, so these days one should prefer to have atleast 50 characters long sequence of written text. 8 characters long strings of alphanumeric characters are also dangerously close to being inadequate.
     
  3. SheetWise
    Joined: Jul 2004
    Posts: 279
    Likes: 54, Points: 0, Legacy Rep: 658
    Location: Phoenix

    SheetWise All Beach -- No Water.

    This has always been, and is still a problem with the programmers -- not the passwords. They are not programming the computer to be an intelligent gatekeeper. How may chances do you think a grocery clerk would give you to "remember" your PIN? If you think 10,000 attempts is appropriate, then you'll "remember" it every time. When systems are compromised by brute force -- it's the fault of the system. OTOH -- if you're using the name of a child or pet, an intruder might guess it in the first couple of attempts. Other than obvious passwords that someone who lived with you or knew you might be able to guess, almost all passwords are secure. The people who programmed the system are the weak link.

    This is not a problem with passwords or password security -- it is a problem with programmers. Some of them are idiots. For anyone involved in securing Internet systems, you might want to check how your password system was designed.

    When I design a system, I record every login attempt in the customers master record along with the date and time. For every failed login attempt within a 15 minute window I also increment a counter, which is reset only after 15 minutes with no attempts. If the counter reaches 4 -- the user obviously doesn't remember their password. The account is then disabled for 15 minutes, a second counter recording a timeout is incremented, and the user is given the option of requesting their password by email. If the timeout counter is incremented to 3, the password is disabled and an email is sent to the user. With this system it is almost impossible for an account to be accessed by brute force.

    Consider a simple four letter password. If the password is not case sensitive, there are 26^4 combinations equating to 456,976 passwords -- if the password is case sensitive there are 52^4 combinations, or 7,311,616. And that's just a four character password not using numbers.

    Given that simple policy, a hacker gets exactly 12 guesses before the account is disabled. This not only protects the owner of the account, it informs them that somebody is attempting to access their account -- I also record the IP address of every request. A four character password without numbers is actually pretty strong if the people doing the programming have any concerns about protecting your privacy.

    What really ticks me off are systems that require you to use 8+ characters, must use upper and lower case, must include a number, and must be changed every X days. What in the hell are they thinking? These are the passwords that I actually write down -- because I can't remember them. Writing your password down is a real security issue, but if forced to continually change passwords -- most people will (I do). If you're working with a system that continually asks you to change your password, it's a system that is not secure -- and the operators know it. They're openly acknowledging it. The difference between a random four letter case sensitive password and eight upper/lower with a number is the difference between winning the state lottery and the sun not rising tomorrow, assuming your provider has some security features in place. If you can get past ten attempts without an account being timed out, the programmers need some instructions on how to close a window.
     
    1 person likes this.
  4. troy2000
    Joined: Nov 2009
    Posts: 1,738
    Likes: 170, Points: 63, Legacy Rep: 2078
    Location: California

    troy2000 Senior Member

    Amen. I wish you could come say that to the IT bozos at my company. Although I doubt they'd listen to you.
     

  5. SheetWise
    Joined: Jul 2004
    Posts: 279
    Likes: 54, Points: 0, Legacy Rep: 658
    Location: Phoenix

    SheetWise All Beach -- No Water.

    You're right. I've been hired by some very large corporations where the IT staff won't even take instructions from the President or CEO. They can be an independent bunch -- and if they're cynical enough, they can literally make themselves indispensable. None of which makes them "smart" ...
     
Forum posts represent the experience, opinion, and view of individual users. Boat Design Net does not necessarily endorse nor share the view of each individual post.
When making potentially dangerous or financial decisions, always employ and consult appropriate professionals. Your circumstances or experience may be different.