Date: Mon, 30 Aug 1999 09:53:12 -0400
From: David Jablon <[EMAIL PROTECTED]>
This is ridiculous. Tom presented results that were from a "real
world" setting, as suggested by the title "A Real World Analysis of
Kerberos Password Security".
(www.Integritysciences.com/links.html#Wu99). Your statement that
"those passwords would not have been captured if they weren't used"
is irrelevant. Some of them would have been cracked. And noone can
say how well the cracker would have performed against the changed
passwords.
Tom made the claim that "password quality checkers don't help". But the
results he used to prove that claim were weak at best, since he attacked
a realm where the password quality checker was installed just a few
weeks or months before. If he had said, "password quality checkers only
marginally help immediately after their installation", that would have
been fairer. But he didn't do that. His thesis in his paper wasn't
backed up evidence that he claimed to support that claim, and it is that
intellectual dishonesty that ticked me off the most.
Arguably that unversity could have done more when they installed the
checker to handle the transition. For example, they could have run a
password cracker themselves, and disabled the accounts of anyone with
weak passwords. But there are other real world considerations that have
to be considered besides just security, and they may not have had the
political clout to just turn off accounts with weak passwords
(especially, when often it is inconvenient people like department heads
that are often the biggest offenders). Over time, though, since a
university has a fairly quick turnover of users, the password quality
checker would have made a big difference in the security of their
systems.
Yes, password quality checkers are not a silver bullet. But they aren't
the complete disaster which he claimed in that paper, either. If you
consider that most of the password he cracked were completely trivial
passwords (including 1, 2, and 3 character passwords), it becomes pretty
obvious that a large number his cracked passwords would not have passed
the muster of even the most rudimentary password quality checker. (For
example, at MIT the passwords must be at least six characters; it's not
just a simple dictionary test.)
IMHO? Get off it Ted. There's nothing particularly H about your O.
You just hate patents. Yet still I'm glad that there's no "program
committee" reviewing the Internet, so we can have these friendly
discussions. :-)
I dislike patents, because usually the patent holders try to extract
more value than they are worth, and they don't recognize how much
problems they cause for Open Source Software. But in this case, it was
the intellectual dishonesty, and the overstatement of his case, which
bothered me the most, and which most reminded me more of a marketing
white paper than a peer-reviewed academic paper --- where you're
supposed to disclose inconvenient facts about your data set and how you
gathered it.
- Ted
