Login functionality

Dagmar d'Surreal dagmar.wants at nospam.com
Wed Feb 18 10:32:40 PST 2004


On Wed, 2004-02-18 at 08:54, Spencer Collyer wrote:
> On Wed, 18 Feb 2004 00:49:06 -0700, ken_i_m at elegantinnovations.net wrote:
> > On Wed, Feb 18, 2004 at 12:50:22AM -0600, Charles Winebrinner
> > (cwinebrinner at lmtc.net) wrote:
> > >        But, for instance, if it's a system with a lot of users and
> > >        someone
> > > somehow gains access to the log, then that could be a major problem,
> > > because there are a lot of people that use the same password for
> > > everything. If the hacker can associate their usernames on the machine
> > > to external accounts, then he will have complete access to all of
> > > their other accounts.
> >  
> > Getting users to follow good password practice is a _hard_problem_.
> 
> The two major problems that I can think of immediately are:
> 
> 1) Making sure passwords are not 'obvious'. The definition of 'obvious' is
> open to some debate, but at the very least it should include lookup in a
> large dictionary (preferably multi-lingual), and disallowing pure-alpha or
> pure-numeric passwords (as a simple attempt to eliminate pet names or
> birthdays)..
> 
> 2) Avoiding the 'necessity' that some users seem to have to write their
> passwords down in an easily-accessibly place. Making passwords easily
> memorizable is an important factor here.
> 
> One solution to (1) might be to force users to use generated passwords -
> either ones that are given to them when the account is first set up, or
> else setting up the password change program so that it generates suggested
> passwords and allows them to pick one, but doesn't allow them to enter one
> of their own.
> 
> But if you implement that suggestion, you have to make sure that problem
> (2) is solved. One way is to use a password generator that generates
> 'English-like' (or 'Spanish-like' or 'Russian-like' or ... you get the
> idea) pronouncable passwords.
> 
> There are such programs available (googling for 'password generator' turns
> up several). I remember the SET PASSWORD command on VMS used to include an
> option (/GENERATE, IIRC) to do the same thing, and the suggestions it gave
> even showed how they could be pronounced.
> 
> Of course, the method used to generate the passwords would need to be
> capable of generating a large number of passwords, in order to make
> dictionary attacks as hard as possible. For instance, an algorithm that
> simply joined together three short (two- or three-letter sections) of text
> would be virtually useless if it only had ten different values to choose
> from for each part (giving just 1000 possible passwords), but would be
> more useful if supplied with 1000 or 10000 such values (giving 10^9 and
> 10^12 respectively).

This still reduces the keyspace needed to search by a pretty substantial
amount.  Reducing the keyspace is bad.  If you want an example of just
*how* bad this can get, a friend of mine who shall remain nameless spent
a amall amount of time owning most of a particular asian nation (that
shall also remain nameless) semi-recently, mainly because so many of
them were still using DES crypt (which has an input limit of 8
characters, or basically 64 bits of data) in combination with the
wonderful 16-bit character set, resulting in them using passwords that
are effectively four characters long.  The keyspace of their alphabet is
a bit larger than 26 characters, but the end result is that he could
brute force those passwords from their ciphertext in under a day.

If one is going to use an algorithm to generate passwords based on a
particular set of rules, one should remember that those rules can be
easily obverted into a set of rules for John the Ripper (the brute force
password cracker) to use.  (This is why you don't often see people
publishing how they are generating pseudo-random passwords.)  You can
buy a *ton* of CPU power for $10-15k now, and a corporate
counter-intelligence specialist is rather likely to have that much cash
to blow.  (Look at how cheaply you can fill half a rack with 1U >1Ghz
machines from eBay, for example)
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list