|
|
| Author |
Message |
| 25 new of 222 responses total. |
mcnally
|
|
response 113 of 222:
| 
Jun 7 02:06 UTC 2000 |
as opposed to Grex?
|
steve
|
|
response 114 of 222:
|
Jun 7 02:21 UTC 2000 |
Grex represents its own set of value, but I'm talking of systems
such as anything used in a business where obtaining a pw might result
in a vandal being able to manipulate something like product that a
company has, or something else of direct value in the real world.
Grex doesn't have any of that kind of stuff online, so the most
dangerous thing that could happen is all related to email, which isn't
saying that emails to the wrong people can't land someone in a fair
amount of trouble.
|
cmcgee
|
|
response 115 of 222:
|
Jun 7 02:40 UTC 2000 |
The UM password checker is even snippier than Grex. I finally used my
favorite password with punctuation marks separating some letters. It didn't
like my "first letter of each word in the title of a book, song, etc"
algorithm.
|
twinkie
|
|
response 116 of 222:
|
Jun 7 02:57 UTC 2000 |
re: 103 -- By default, Windows NT *will* let you reuse an old password. You
can set it to never accept a used password, or you can set a threshold, such
that NT will not accept a used password until there have been 10 unused ones.
(Which can easily be defeated by changing your password 10 times in a row)
|
bdh3
|
|
response 117 of 222:
|
Jun 7 03:29 UTC 2000 |
The yuckey mainframes at where I work have a very picky
password program that not only requires 1 non alpha, but don't let you
reuse passwords ever and you have to change it every 90 days and you
can't use the same password on different machines.
In my group we all have thinkpads as we are 'mobile'. As a result
of the 'very secure' password scheme the mainframe gangy uses just
about all if my cadre have a label stuck to our laptops with system
name and password pairs written on them. (I at least keep them in my
palm pilot encrypted under a central password.)
Humans are the weak link in any security system.
|
jmsaul
|
|
response 118 of 222:
|
Jun 7 03:49 UTC 2000 |
Yep, and the pickier the password program is, the weaker a link the humans
become. It's a tradeoff.
|
steve
|
|
response 119 of 222:
|
Jun 7 04:28 UTC 2000 |
I dunno. Grex has trained a lot of people into thinking about passwords
in ways that they didn't, before. I have had many many conversations with
people about the pickyness of our passwd program, and at least some people
who use Grex have an awareness of passowrds that they didn't before. Now,
some people are probably the opposite, and rebell and use the same one
difficult pw over and over, so in that sense, there is a tradeoff in the
general population of people. But I do think that some people here choose
better pw's because of Grex's pickyness, which is a good thing.
|
omni
|
|
response 120 of 222:
|
Jun 7 04:29 UTC 2000 |
If I've learned anything in the last 7 years, I've learned that when
STeve advises you to do something it is in your best interest to heed
his advice.
Just before I got my ham license, I asked STeve about radios. He told
me ICOM was just about the best one on the market. I followed his counsel
and have not been sorry. That was almost 8 years ago.
I changed my password this morning. The new one wull be a pain to learn,
but I will learn it. It is better than a death threat sent to the president
in my name.
Thanks for being vigilant, STeve.
|
omni
|
|
response 121 of 222:
|
Jun 7 04:30 UTC 2000 |
STeve slipped in.
|
senna
|
|
response 122 of 222:
|
Jun 7 04:38 UTC 2000 |
I have a number of rotating passwords, so I shuffled around to satisfy my
desire for security.
|
jmsaul
|
|
response 123 of 222:
|
Jun 7 04:40 UTC 2000 |
Re #119: Programs which require strong passwords do help against people
running crack and the like, there's no doubt. Unfortunately,
they lead to other security problems, like people writing passwords
down on post-it notes stuck to their monitors. Whether it's a
good tradeoff depends on which threat you're more worried about.
In an institutional environment, I'd usually worry more about the
post-it notes. Here, worrying more about script kiddies may be
a good call. In any event, Grex isn't doing the thing that provokes
the worst "weak link" behavior -- timed expiration.
On general principle, though, I'm not so sure you should be
encouraging people to write their passwords down. Even if it
isn't a problem here, it's a bad habit to be in in an office
environment.
|
omni
|
|
response 124 of 222:
|
Jun 7 07:44 UTC 2000 |
If I don't write it down, I'm gonna forget it.
I think I'm gettin' old. My bones is getting creaky and
I'm forgettin things I should remember and rememberin'
things I should have forgot. Oh dear. ;)
I do have a large supply of potential passwords. I'm not
worried about the password program rejecting one of my potentials.
|
goose
|
|
response 125 of 222:
|
Jun 7 11:10 UTC 2000 |
(RE:Icom -- I liek and trust STeve, but I've not been happy with my Icom.
I'd much rather have a Yaesu HT, and a Kenwood Mobile)
|
iggy
|
|
response 126 of 222:
|
Jun 7 12:35 UTC 2000 |
the stupidest password i hadever known anyone to have was 'password'
|
jmsaul
|
|
response 127 of 222:
|
Jun 7 12:37 UTC 2000 |
"secret" is another popular one.
|
jep
|
|
response 128 of 222:
|
Jun 7 13:02 UTC 2000 |
It's amusing, working in an office where passwords have to be changed
often. You can walk around and find out anyone's password, from the
post-it note on the front of their computer.
|
jazz
|
|
response 129 of 222:
|
Jun 7 15:42 UTC 2000 |
Yet another thing that is not commonly understood in IT is that
convenience, security, and ease of setup are related in a Heisenbergian way.
The more security you have, the less convenience or ease of setup ...
|
rcurl
|
|
response 130 of 222:
|
Jun 7 16:08 UTC 2000 |
Most of my passwords for various systems are on postit notes on my
computer...verfy handy 8^}
|
remmers
|
|
response 131 of 222:
|
Jun 7 16:46 UTC 2000 |
The last time Grex forced me to change my password, I came up
with what I thought was a paragon of obscurity. "Too obvious",
said the passwd program. So I chose an even more obscure-
seeming one. "Too obvious".
Finally, I chose one that seemed (to me) distinctly more obvious
than the first two. The passwd program took it without objection.
Go figure.
|
remmers
|
|
response 132 of 222:
|
Jun 7 16:50 UTC 2000 |
(Password-cracker wannabes should take note that my current
password is now different than the "more obvious" one mentioned
above. I changed it again in the wake of the recent gryps
vandalism.)
|
drew
|
|
response 133 of 222:
|
Jun 7 19:37 UTC 2000 |
If a password is not in any dictionary, is it still possible/feasible for the
crack program to find it by trial and error? Assume it to be running on a 500
MHz PC.
|
scg
|
|
response 134 of 222:
|
Jun 7 19:40 UTC 2000 |
That would depend. If it's truely a string of random characters, there's a
huge number of possibilities, and that would take a very long time. If it's
something like all numbers, all lower case letters, or something like that,
it won't be that hard.
|
mdw
|
|
response 135 of 222:
|
Jun 7 20:17 UTC 2000 |
If it's short enough, it doesn't matter how random the characters are.
Crack programs generally iterate all the possible permutations of
characters for short lengths, then use rules to generate a small set of
variations (such as mixed case, added digit, etc.) based on every entry
in a set of word lists.
The logic in passwd tries to forbid choices like this - so it forbids
passwords that are "too short", and it has its own set of word lists
which it checks. A password that fails the check in passwd is almost
certainly a bad choice. Just because it passes the check doesn't mean
it's a good choice however, the question there would be if it's
something that could be generated by a rule selected by a vandal, and
it's somewhat difficult to predict just what rules a vandal might
actually select.
|
spooked
|
|
response 136 of 222:
|
Jun 7 23:32 UTC 2000 |
The one-way Hash function on Unix password systems are all the same,
correct? If so, why?
|
mcnally
|
|
response 137 of 222:
|
Jun 8 00:38 UTC 2000 |
I don't think that is correct, actually..
|
