Re: A better way to think about passwords

Just "blood-thing" about linguist reminds-me "language acquisition" anyways On 28 May 2011 00:16, Daniel Kahn Gillmor wrote: > On Sun, 17 Apr 2011 15:49:58 -0700, Doug Barton wrote: >> Summary: A 3-word password (e.g., "quick brown fox") is secure against >> cracking attempts for 2,537 year

Re: A better way to think about passwords

On Sun, 17 Apr 2011 15:49:58 -0700, Doug Barton wrote: > Summary: A 3-word password (e.g., "quick brown fox") is secure against > cracking attempts for 2,537 years. > > http://www.baekdal.com/tips/password-security-usability A computational linguist's rebuttal to Baekdal's post: http://trochee

Re: A better way to think about passwords

On 27/04/11 7:04 PM, Aaron Toponce wrote: > On Sun, Apr 17, 2011 at 03:49:58PM -0700, Doug Barton wrote: >> Summary: A 3-word password (e.g., "quick brown fox") is secure against >> cracking attempts for 2,537 years. >> >> http://www.baekdal.com/tips/password-security-usability > > I'm just going

Re: A better way to think about passwords

On Sun, Apr 17, 2011 at 03:49:58PM -0700, Doug Barton wrote: > Summary: A 3-word password (e.g., "quick brown fox") is secure against > cracking attempts for 2,537 years. > > http://www.baekdal.com/tips/password-security-usability I'm just going to drop this here: http://www.troyhunt.com/2011/04/

Re: A better way to think about passwords

On Tue, Apr 26, 2011 at 07:47:55PM -0300, Faramir wrote: > Indeed. In fact, I keep some passwords on paper, just in case I can't > use my password manager (like the password to access the site where I > stored the password manager database backup. It doesn't include the > passphrase to open the b

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 24-04-2011 6:49, Mike Acker escribió: > On 14:59, Faramir wrote: >> You can store them in a password manager, it's more secure than a txt ... > how long have we been asking the industry for Single Logon? a password > manager could help to final

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 24-04-2011 13:47, Ingo Klöcker escribió: > On Sunday 24 April 2011, Faramir wrote: ... >> You can store them in a password manager, it's more secure than a >> txt file or a post-it on the screen. > > That's not true. A Post-It is much more secu

Re: A better way to think about passwords

On Mon, 25 Apr 2011 20:04, kloec...@kde.org said: > from those living with you (i.e. you do not trust them) then you better > make sure those other people are either computer-illiterate or never > have unattended access to your computer. and you should also always check the cabling of your box.

Re: A better way to think about passwords

On Monday 25 April 2011, MFPA wrote: > Hi > > > On Sunday 24 April 2011 at 5:47:40 PM, in > > , Ingo Klöcker wrote: > > A Post-It is much more secure if you > > do not have to keep the password secret from people > > who have physical access to your computer. For most > > home users this shoul

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Sunday 24 April 2011 at 5:47:40 PM, in , Ingo Klöcker wrote: > A Post-It is much more secure if you > do not have to keep the password secret from people > who have physical access to your computer. For most > home users this should be th

Re: A better way to think about passwords

On Sunday 24 April 2011, Faramir wrote: > El 21-04-2011 10:20, Jean-David Beyer escribió: > ... > > > to remember them all in any case. Even if I could remember them, I > > could not even remember what login to use on each machine, and > > which password went with which login so I did write them d

Re: A better way to think about passwords

On Sun, Apr 17, 2011 at 03:49:58PM -0700, Doug Barton wrote: > Summary: A 3-word password (e.g., "quick brown fox") is secure against > cracking attempts for 2,537 years. > > http://www.baekdal.com/tips/password-security-usability Yeah, I've read it. It sucks. If an author claims they know somethi

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Sunday 24 April 2011 at 4:23:39 AM, in , Faramir wrote: > You can store them in a password manager, it's more > secure than a txt file or a post-it on the screen. The > only problem is you need a working computer in order to > be able to o

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 21-04-2011 10:20, Jean-David Beyer escribió: ... > to remember them all in any case. Even if I could remember them, I could > not even remember what login to use on each machine, and which password > went with which login so I did write them down

Re: A better way to think about passwords

On 4/22/11 10:04 AM, Nicholas Cole wrote: > What I meant was rather this: there are several strategies that > produce good passwords. Teaching them requires (at some employers) a > 30 minute course or the reading of a web page. However, forcing any > *particular* strategy onto users will dramatic

Re: A better way to think about passwords

On Thu, Apr 21, 2011 at 1:38 PM, Robert J. Hansen wrote: >> In short: don't force a particular strategy on your users.  Much >> better to explain to users the general problem, and then leave it up >> to them to pick a password. > > Historically speaking, this has shown not to work.  I'll try to di

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 MFPA wrote: > Hi > > > On Thursday 21 April 2011 at 2:20:51 PM, in > , Jean-David Beyer wrote: > > >> I do not think it is entirely not wanting to be >> educated. But if the education takes several hours a >> week to keep up with and to administer

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 21 April 2011 at 2:20:51 PM, in , Jean-David Beyer wrote: > I do not think it is entirely not wanting to be > educated. But if the education takes several hours a > week to keep up with and to administer my own > responsibilities i

Re: A better way to think about passwords

If you leave it up a user, they'll choose nothing, or the last four of the social. There should be criteria, but not public criteria. --Original Message-- From: Nicholas Cole Sender: gnupg-users-boun...@gnupg.org To: gnupg-users@gnupg.org Subject: Re: A better way to think about pass

Re: A better way to think about passwords

Robert J. Hansen wrote: >> In short: don't force a particular strategy on your users. Much >> better to explain to users the general problem, and then leave it >> up to them to pick a password. > > Historically speaking, this has shown not to work. I'll try to dig > up the HCI references if peo

Re: A better way to think about passwords

> In short: don't force a particular strategy on your users. Much > better to explain to users the general problem, and then leave it up > to them to pick a password. Historically speaking, this has shown not to work. I'll try to dig up the HCI references if people really want, but the gist of

Re: A better way to think about passwords

Isn't the real problem that *any* policy (suggested or enforced) reduces the complexity of guessing a password? The moment you start saying "pick three words separated by a space or dash" or "pick eight random letters" or the like you make it easier to attack a password. My employer insists on pas

Re: A better way to think about passwords

> FYI, This is the topic of the upcoming episode of Security Now. Gibson's reputation in this area is mixed. That doesn't mean what he says is wrong, but I'd suggest listening with skeptical ears -- which, you know, you really ought to be doing with everyone on the internet anyway. :) PGP.s

Re: A better way to think about passwords

On Sun, Apr 17, 2011 at 03:49:58PM -0700, Doug Barton wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Summary: A 3-word password (e.g., "quick brown fox") is secure against > cracking attempts for 2,537 years. > > http://www.baekdal.com/tips/password-security-usability > > - -- >

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Tuesday 19 April 2011 at 11:56:30 AM, in , Faramir wrote: > It would still be > vulnerable to a complete rainbow table for SHA-256, but > if such rainbow table exists at all, then we are all > toasted, no matter what password we use, it wou

Re: A better way to think about passwords

Well, memory seems to be a highly individual thing. Mine is not so good in some ways, and I've had to learn to search for the kinds of patterns that I find memorable. Frequent use helps too: I've learned to put repeating "touching base" notes on my calendar to make me learn passwords to things wh

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 18-04-2011 8:21, Hauke Laging escribió: > Am Montag 18 April 2011 12:53:12 schrieb Faramir: > >> Maybe we should just pick a "good password", hash it a couple of >> times, and use that hash as the real password... we could carry the >> hashing

Re: A better way to think about passwords

I know I'm late to the party, and forgive me if someone posted these links already, but the two essays I found most informative and helpful when trying to create secure passwords were:

Re: A better way to think about passwords

On Monday 18 April 2011, Robert J. Hansen wrote: > On 4/18/2011 1:02 PM, Mark H. Wood wrote: > > Oh, sure -- I do that too. But the CC memorization problem seems a > > lot easier. First, it's all digits, not a typical Base64 mishmash. > > YMMV, but to me a glyph is a glyph is a glyph. > > > Sec

Re: A better way to think about passwords

On 4/18/2011 1:02 PM, Mark H. Wood wrote: > Oh, sure -- I do that too. But the CC memorization problem seems a > lot easier. First, it's all digits, not a typical Base64 mishmash. YMMV, but to me a glyph is a glyph is a glyph. > Second, it's not a 23-digit number; it's a 16-digit number, a date

Re: A better way to think about passwords

On 4/18/11 1:02 PM, Mark H. Wood wrote: > > OTOH if there are any useful groupings in "c2l4IHdvcmRzIGxvbmcuCg==" > they are not readily visible to me. My eye tends to slide right past > it without taking anything in. > > This is why I tend to use something like APG to generate strings of > nonse

Re: A better way to think about passwords

On 4/18/11 2:09 PM, Grant Olson wrote: > On 4/18/11 1:02 PM, Mark H. Wood wrote: >> >> OTOH if there are any useful groupings in "c2l4IHdvcmRzIGxvbmcuCg==" >> they are not readily visible to me. My eye tends to slide right past >> it without taking anything in. >> >> This is why I tend to use some

Re: A better way to think about passwords

On Mon, Apr 18, 2011 at 12:11:24PM -0400, Robert J. Hansen wrote: > On 4/18/2011 11:46 AM, Mark H. Wood wrote: > > It's easy to build gadgets which yield passwords that are > > mathematically very strong. The problem is that such passwords tend > > to be psychologically and pragmatically weak: yo

Re: A better way to think about passwords

On 18 Apr 2011, at 17:11, Robert J. Hansen wrote: > On 4/18/2011 11:46 AM, Mark H. Wood wrote: >> It's easy to build gadgets which yield passwords that are >> mathematically very strong. The problem is that such passwords tend >> to be psychologically and pragmatically weak: you'll never rememb

Re: A better way to think about passwords

On 18 Apr 2011, at 02:31, Doug Barton wrote: > > > On the other other hand, if passwords are so easy to crack, why use them at > all? :) "On the gripping hand'... Sorry, couldn't resist channelling a bit of Niven/Pournelle ;-) Regards, Andy -- Andrew Long andrew dot long at mac dot com

Re: A better way to think about passwords

On 4/18/2011 11:46 AM, Mark H. Wood wrote: > It's easy to build gadgets which yield passwords that are > mathematically very strong. The problem is that such passwords tend > to be psychologically and pragmatically weak: you'll never remember > "dishGhebJactotCerUnJodNavhahifbobTyWodvacushdojHash

Re: A better way to think about passwords

I think the author of the page was on his way to saying something important but got sidetracked. Whether his math works or not is secondary to the bit I think is important. It's easy to build gadgets which yield passwords that are mathematically very strong. The problem is that such passwords te

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-04-2011 23:50, Grant Olson escribió: ... > But if you don't, and you use a dictionary word, or a dictionary word > with l33t-sp34k, or two dictionary words, your opponent can develop a > strategy that beats the average case brute force time. A

Re: A better way to think about passwords

Hi On Monday 18 April 2011 00:58:13 Robert J. Hansen wrote: > > His math doesn't work. I call shenanigans on the entire thing. I'd like to add a F-ACK to that statement, out of curiosity I tried cracking "J4fS<2" with CUDA multiforcer and it took less than 15 minutes on a single GF200 class c

Re: A better way to think about passwords

Am Montag 18 April 2011 12:53:12 schrieb Faramir: > Maybe we should just pick a "good password", hash it a couple of > times, and use that hash as the real password... we could carry the > hashing tool in a flash drive. That does not make sense to me because you do not increase the key space by

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-04-2011 20:27, Andre Amorim escribió: > On 17 April 2011 23:58, Robert J. Hansen wrote: >>> Summary: A 3-word password (e.g., "quick brown fox") is secure against >>> cracking attempts for 2,537 years. >> >> I am giving a great big yuk to his

Re: A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-04-2011 20:39, Grant Olson escribió: ... > I think it's worth noting that the low entropy of english (you quoted > 2.5 bits per char in another thread) isn't just an academic issue. Real > password crackers actually do employ multiple strategi

Re: A better way to think about passwords

> I'd be interested in the result that comes from the same assumptions > you just used to refute his calculations. That is those that gave you > the result 'equals ten seconds to break it -- not the 3 minutes he > claims' Depending on who you refer to, English words have between 1.5 and 2.5 bits o

Re: A better way to think about passwords

On 04/17/2011 09:31 PM, Doug Barton wrote: > I agree that the description of baekdal's use case is pretty limited, > and his math may be optimistic. OTOH this page seems to cast doubt on > the idea that even comparatively simple passwords can be cracked in very > short time periods, and more import

Re: A better way to think about passwords

On Mon, Apr 18, 2011 at 12:19 PM, Doug Barton wrote: > On 04/17/2011 18:25, Hedge Hog wrote: >> >> Twenty minutes with someone >> 'suitable' - maybe even your high school student - and a $5 budget for >> a hammer and they_will_  have your passphrase/password, or your life. > > True, a determined a

Re: A better way to think about passwords

On 04/17/2011 18:25, Hedge Hog wrote: Twenty minutes with someone 'suitable' - maybe even your high school student - and a $5 budget for a hammer and they_will_ have your passphrase/password, or your life. True, a determined attacker will always be able to get access to your encrypted data. T

Re: A better way to think about passwords

On Mon, Apr 18, 2011 at 10:15 AM, Robert J. Hansen wrote: >> Correct. But do you claim the ideas are shenanigans: > > The idea of "use several words in a combination that's only meaningful and > predictable to you" is a good one.  That's not in debate.  The idea of "this > is fun" being a passph

Re: A better way to think about passwords

I agree that the description of baekdal's use case is pretty limited, and his math may be optimistic. OTOH this page seems to cast doubt on the idea that even comparatively simple passwords can be cracked in very short time periods, and more importantly that length is more important than comple

Re: A better way to think about passwords

On 17 April 2011 23:58, Robert J. Hansen wrote: >> Summary: A 3-word password (e.g., "quick brown fox") is secure against >> cracking attempts for 2,537 years. > > I am giving a great big yuk to his methodology.  There's no reference to the > entropy of text, for instance.  His example of a three

Re: A better way to think about passwords

On 04/17/2011 07:39 PM, Grant Olson wrote: > > (you quoted 2.5 bits per char in another thread) Apologies, actually you didn't say this. You said, "English text has in the neighborhood of 1.5 to 2.5 bits of entropy per glyph." Just correcting myself because I know how annoying it is to be mis

Re: A better way to think about passwords

> Correct. But do you claim the ideas are shenanigans: The idea of "use several words in a combination that's only meaningful and predictable to you" is a good one. That's not in debate. The idea of "this is fun" being a passphrase that will require 2,500 years of attacks to break is just abs

Re: A better way to think about passwords

On Mon, Apr 18, 2011 at 8:58 AM, Robert J. Hansen wrote: >> Summary: A 3-word password (e.g., "quick brown fox") is secure against >> cracking attempts for 2,537 years. > > I am giving a great big yuk to his methodology.  There's no reference to the > entropy of text, for instance.  His example o

Re: A better way to think about passwords

> I was thinking about that, between words, there is only a BLANK > SYMBOL, same value of any other given symbol. Well, from point of view > of math, nothing changes, all "data", but from "knowledge" point of > view about human behaviour it is possible that it's have some kind of > relevance. Yeah

Re: A better way to think about passwords

On 04/17/2011 06:58 PM, Robert J. Hansen wrote: >> Summary: A 3-word password (e.g., "quick brown fox") is secure against >> cracking attempts for 2,537 years. > > I am giving a great big yuk to his methodology. There's no reference to the > entropy of text, for instance. His example of a three

Re: A better way to think about passwords

> Summary: A 3-word password (e.g., "quick brown fox") is secure against > cracking attempts for 2,537 years. I am giving a great big yuk to his methodology. There's no reference to the entropy of text, for instance. His example of a three common word password, "this is fun," amounts to a tota

A better way to think about passwords

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Summary: A 3-word password (e.g., "quick brown fox") is secure against cracking attempts for 2,537 years. http://www.baekdal.com/tips/password-security-usability - -- Nothin' ever doesn't change, but nothin' changes much.