Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: newbies-creating strong passwords.

  1. #11
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I take the view that a lot of password cracking tools are quite limited in the size of the password they will handle.

    There is also the question of how long someone will continue to attempt a crack.

    I generally recommend that newbies (or anyone else for that matter) use a "core password" and just expand it with some easily remembered characters something like this:

    €12345"core password"ABCDE$


  2. #12
    Senior Member
    Join Date
    Aug 2002
    Posts
    115
    It is funny that you should mention that, as 90% of the installations I have worked on require that every 90 days all passwords will be changed. And it's tough enough to get that 'core' password to flow from your fingertips so everyone just adds a bit to the front and back ....


    Very useful technique


    But, there are some 'evil' systems that 'know' what you're doing and state that this password is too similar to the old one. Grr.
    Civilization. The death of dreams.

  3. #13
    Junior Member
    Join Date
    Jan 2006
    Posts
    25
    i do not understand the concern over password complexity. according to my math if i extract my password randomly from the alphanumeric set plus the shifted numerics i will only need a password four entities long to satisfy the ansi x9.9 standard which states that the odds of guessing an authentication response must be no greater than one in 1'000'000.

    abcdefghijklmnopqrstuvwxyz + 0123456789 + !@#$%^&*()

    yields 46 entities. a four entity password would contain 46^4 | 4'477'456 possible passwords.

    given the normal three attempts before lockout policy featured by security minded organizations this number is divided by three for odds of one in 1'492'485. to reset the lookout the user must enter the correct authentication response twice consecutively. the first time will error as normal and quietly unlock the account. the user will then be notified of the login failures and can respond appropriately.

    considering that password hashes are plaintext equivalent the cracking argument is not valid either never mind the fact that very privileged access must already be acquired to access the hashes in the first place.

    passwords face five discrete threats.[list=1][*]guessing (resolved by a four entity password as shown above.)[*]brute force (resolved by limiting the attempts.)[*]perception management (still an unresolved issue not effected by password complexity.)[*]recording (resolved by ensuring system and channel integrity.)[*]emanations (resolved by ensuring environmental integrity.)[/list=1]mandating long or complex authentication responses does little to increase trustworthiness while increasing the occurrence of users handling passwords inappropriately and decreasing administrative vigilance to invalid authentication attempts.

  4. #14
    Senior Member chizra's Avatar
    Join Date
    Feb 2006
    Location
    west india
    Posts
    152
    Relyt,

    Something like This ?

    Hindsight is an exact science.
    MudBubble

  5. #15
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I guess that catch is right........ it depends on the attack vector?

    Three shots and you're out, is different from a hash download and all the time in the World?


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •