Re: US Military bans HTML in emails

Bill Gunshannon wrote:
In article <1167832240.731568.243390@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
"AEF" <spamsink2001@xxxxxxxxx> writes:
Arne Vajhøj wrote:
AEF wrote:
Arne Vajhøj wrote:
David J Dachtera wrote:
Bill Gunshannon wrote:
Not in the real world. Good enough doesn't cut it when someone higher
than you says, "The corporate standard is MS Word."
...until the(ir next) multi-billion-dollar outage due to malware. Then, the
higher-ups face turn-over while the workers bees burn the midnight oil to clean
up the mess.
There were some real bad incidents 3-5 years ago.

No move from Windows then.

Now the MIS departments has tightened security.

You mean like requiring 6-character passwords to now be "complex"?
Yeah, that'll stop 'em!!! ;-)

OK, maybe they're actually doing some more useful things.

More as in:
min 8 characters
min 1 uppercase
min 1 lowercase
min 1 digit
min 1 punctuation

Or as in email scanners that removes all EXE, BAT etc. from attached
ZIP files in inbound email.

Arne
It turns out that you get a lot more bang for the buck by requiring
longer passwords.

Not sure where it is in the approval process but we talked about
allowing entire sentences (paragraphs?) as passwords and eliminating
the need for non-alpha characters.

Complex passwords are not that much harder to crack.

Not if you are in a position to use brute-force. Most computers today
have all the horsepower needed to just try every possible character.
After all, there are less than 128. :-)

Not sure what you're saying here. You open with 'Not', then seem to
agree with me. Anyway, according to the article referenced, anything 10
or more chars long, NOT complex, is all but uncrackable.

I think he should have offered $1000 instead of $100, though.


Most characters will be lowercase.

Not always. :-)

True, but you don't need to crack everyone's password.


Puncutation will almost certainly be
limited to periods, hyphens, and commas.

Arne listed punctuation as a required character, so I was commenting on
that.


I do not now and have never (up to this point, at least) used any of
those characters.

You'd have to if the password software enforced it according to the
rules given by Arne above!

This greatly reduces the total
number of possible combinations comapred to a random character for each
character. Hackers already know this trick.

The biggest safeguard is not providing a way to use a brute force attack.
Unfortunately, this brings up another whole issue. Use of brute force
to cause a DOS.

Well, I assume here that the hacker has somehow obtained a backup tape
or something similar. Well, I also assume that one can't quickly try
millions of combinations over the network, especially if your target
has break-in evasion set up.


If you sit down and calculate it, you'll find that complex passwords
aren't worth the trouble (I'll post some numerical examples later when
I have more time). Some say that users will write down passwords
anyway. (So why lock your door? Burglars will get in anyway!) I say
*more* users will write down complex passwords and they'll hate it a
lot more than adding a few characters to the minimum length.

I have no statistics to back it up, but I don't agree. I think
people who are likely to write down their password are as likely
to do it no matter what the length. Unless you let them use
something that is easily guessed anyway.

Well, it's certainly not going to reduce the number of people who write
down passwords!

You'll
probably also get more help desk calls for complex-password resets.
Here's an article from infoworld (I can't find the original articles
right now, I'll post them later).
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/06/11/10/46OPsecadvise_1.html
I've seen passwords with zeros for O's and 3's for E's. What hacker
could break through this fortress of security? Trying zeros for O's and
3's for E's? What hacker ever think of that?

With your toungue pushed so far into your cheek be careful you don't
bite it. :-)

Or choke on it!!!

Yeah, I overdid it. I was thinking of a Seinfeld shtick in his book,
"Sein Languange" where he talks about the stupid security things people
do, like park in NYC with a TV in the back seat and cover it with a
sweater. "It's just a sweater, except that it's square and has an
antenna sticking out of it", he says. Or putting your wallet down by
the toes in your sneakers when you go to the beach. "What criminal mind
can penetrate this fortress of security?" he says. Etc.

Additionally, I admit that my posts this morning were poorly written. I
was in a hurry and perhaps need to catch up on sleep!


This is like a mild speed
bump where as increasing the length a few characters is more like huge
mountain. It's like putting your wallet in the toe of your sneaker as
you go into the water at the beach. Yes, it incerases the total
possible number of passwords, but not by much. See the link I provided
for more detail.

Thus the reason for the suggestion above. I hope it gets approved soon.

On further thought, many people would capitalize the first letter and
use a number for the last char. That actually *reduces* the possible
number of combinations!

It's x**L, and L is your friend.

bill

--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
bill@xxxxxxxxxxxxxxx | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>

AEF

.

Relevant Pages

  • Re: US Military bans HTML in emails
    ... Complex passwords are not that much harder to ... Consider a password with a choice of X different characters for each ... takes using all upper- and lowercase letters, ... I can see only two advantages of complex passwords: ...
    (comp.os.vms)
  • Re: US Military bans HTML in emails
    ... You mean like requiring 6-character passwords to now be "complex"? ... the need for non-alpha characters. ... what about all those machines ... I assume here that the hacker has somehow obtained a backup tape ...
    (comp.os.vms)
  • RE: Basic question
    ... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
    (Focus-Microsoft)
  • Stat Problem
    ... A computer hacker is trying to break into a computer system by ... administrator's password is at least 6 and at most 12 characters long, ... How many passwords are there that start with a letter, ...
    (sci.stat.math)
  • RE: Password statistics and standards
    ... If you shut off the storage of LM hashes, over 9 Characters will buy you ... Take a look at Perfect Passwords for some creative ideas: ... information about accounts which is helpful in telling me ... Norwich University ...
    (Security-Basics)