[TriLUG] OT: password generation
Joseph Tate
dragonstrider at gmail.com
Thu Feb 24 14:35:21 EST 2005
If you used something like cracklib to verify the passwords generated,
any random character generator would be sufficient.
Cracklib, which has been around forever, mostly validates against
dictionary words. Interesting to note that the dicts that come with
cracklib include Star Wars and Star Trek as well as Monty Python
references, making it difficult to use your geek entertainment
knowledge to bypass the dictionary checking routines.
On Thu, 24 Feb 2005 12:57:10 -0500, Mack.Joseph at epamail.epa.gov
<Mack.Joseph at epamail.epa.gov> wrote:
> Joseph Mack PhD, High Performance Computing & Scientific Visualisation
> LMIT, Supporting the EPA Research Triangle Park, NC 919-541-0007
> Federal Contact - John B. Smith 919-541-1087 - smith.john at epa.gov
>
> trilug-bounces at trilug.org wrote on 02/24/2005 12:38:37 PM:
>
> > Mack.Joseph at epamail.epa.gov wrote:
> >
> > > I've had the same 4 digit PIN on my ATM card for about 20yrs and my
> > > account hasn't been cracked yet.
> >
> > Not a fair comparison.
>
> Agreed. A recent article
>
> http://it.slashdot.org/article.pl?sid=05/02/03/1855258&tid=172&tid=1
>
> points out that passwords aren't a real good solution in the first
> place,
> which was the point I was hoping people would get from the ATM example.
>
>
> > ATM authentication is two factor: something you
> > have (your ATM card) and something you know (your PIN).
> > Passwords are single factor: something you know.
> > Two factor authentication for system
> > login would lessen the complexity requirements for passwords.
>
> Presumably the ATM card piece of info is hard to guess
> (there is a large sparsely occupied namespace used on
> the magnetic strip).
> For conventional login, you have a username and a passwd.
> Neither should be known to the attacker,
> but it isn't hard to guess usernames,
> so make the standard login a 1.1 factor authentication.
>
> Joe
>
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>
--
Joseph Tate
Personal e-mail: jtate AT dragonstrider DOT com
Web: http://www.dragonstrider.com
More information about the TriLUG
mailing list