[TriLUG] OT: password generation

Warren Myers volcimaster at gmail.com
Fri Feb 25 13:19:29 EST 2005


Thanks for the feedback. Right now, my generator uses the built-in
prng in PHP, seeding with a mutated form of the current time.

The tool was mostly for demonstration purposes, though I do know a
couple people who have used it in one form or other already in the few
days since I offered it.

I do agree that the ATM PIN is a much different situation, though.
Since the card won't work without the PIN, and the PIN is useless
without a corresponding card, you're safe as long you don't lose the
card, or get forced to an ATM at knife-point. Any two-pronged security
system like that _should_ be more secure. Of course, the assumption is
that it is inherently hard to forge the token, so the PIN could even
be public knowledge. After all, in 4 digits, there are only 10000
possible combinations, so a lot of people probably use the PIN I used
to have, or the one I use now.

The point made about securing passwords in some form of authentication
tool, like the one in Firefox, Thunderbird, IE, Keychain, etc, comes
down to depending on securing that container tool _really_ well so
that random passers-by can't find out what's in the stored file. Under
any system that utilizes virtual memory (ie, most any OS in use
outside of embedded devices), you also have the problem of unsecuring
the stored password to log in to a website/computer/whatever, and
having that page of memory swapped to disk.

Biometrics would be nice if the storage systems could be set up so
that anyone could verify against the system, and anyone could add to
the system, but that no one could change data stored outside of the
owner (ie, if you get married and change your name, your
fingerprint/retinal scan/etc is still the same, but you would want to
be able to change your name as stored).

WMM


On Thu, 24 Feb 2005 14:35:21 -0500, Joseph Tate <dragonstrider at gmail.com> wrote:
> If you used something like cracklib to verify the passwords generated,
> any random character generator would be sufficient.
> 
> Cracklib, which has been around forever, mostly validates against
> dictionary words.  Interesting to note that the dicts that come with
> cracklib include Star Wars and Star Trek as well as Monty Python
> references, making it difficult to use your geek entertainment
> knowledge to bypass the dictionary checking routines.
> 
> On Thu, 24 Feb 2005 12:57:10 -0500, Mack.Joseph at epamail.epa.gov
> <Mack.Joseph at epamail.epa.gov> wrote:
> > Joseph Mack PhD, High Performance Computing & Scientific Visualisation
> > LMIT, Supporting the EPA Research Triangle Park, NC 919-541-0007
> > Federal Contact - John B. Smith 919-541-1087 - smith.john at epa.gov
> >
> > trilug-bounces at trilug.org wrote on 02/24/2005 12:38:37 PM:
> >
> > > Mack.Joseph at epamail.epa.gov wrote:
> > >
> > > > I've had the same 4 digit PIN on my ATM card for about 20yrs and my
> > > > account hasn't been cracked yet.
> > >
> > > Not a fair comparison.
> >
> > Agreed. A recent article
> >
> > http://it.slashdot.org/article.pl?sid=05/02/03/1855258&tid=172&tid=1
> >
> > points out that passwords aren't a real good solution in the first
> > place,
> > which was the point I was hoping people would get from the ATM example.
> >
> >
> > > ATM authentication is two factor: something you
> > > have (your ATM card) and something you know (your PIN).
> > > Passwords are single factor: something you know.
> > > Two factor authentication for system
> > > login would lessen the complexity requirements for passwords.
> >
> > Presumably the ATM card piece of info is hard to guess
> > (there is a large sparsely occupied namespace used on
> > the magnetic strip).
> > For conventional login, you have a username and a passwd.
> > Neither should be known to the attacker,
> > but it isn't hard to guess usernames,
> > so make the standard login a 1.1 factor authentication.
> >
> > Joe
> >
> > --
> > TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ  : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> > TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
> >
> 
> --
> Joseph Tate
> Personal e-mail: jtate AT dragonstrider DOT com
> Web: http://www.dragonstrider.com
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
> 


-- 
http://warrenmyers.com
"Don't let the elephants see what the rabbits are doing." --Ben R Rich



More information about the TriLUG mailing list