Re: US Military bans HTML in emails
- From: bill@xxxxxxxxxxx (Bill Gunshannon)
- Date: 4 Jan 2007 03:49:16 GMT
In article <1167873822.299476.210410@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
"AEF" <spamsink2001@xxxxxxxxx> writes:
Bill Gunshannon wrote:
In article <1167832240.731568.243390@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,Not sure what you're saying here. You open with 'Not', then seem to
"AEF" <spamsink2001@xxxxxxxxx> writes:
Arne Vajhøj wrote:
AEF wrote:It turns out that you get a lot more bang for the buck by requiring
Arne Vajhøj wrote:
David J Dachtera wrote:
Bill Gunshannon wrote:There were some real bad incidents 3-5 years ago.
Not in the real world. Good enough doesn't cut it when someone higher...until the(ir next) multi-billion-dollar outage due to malware. Then, the
than you says, "The corporate standard is MS Word."
higher-ups face turn-over while the workers bees burn the midnight oil to clean
up the mess.
No move from Windows then.
Now the MIS departments has tightened security.
You mean like requiring 6-character passwords to now be "complex"?
Yeah, that'll stop 'em!!! ;-)
OK, maybe they're actually doing some more useful things.
More as in:
min 8 characters
min 1 uppercase
min 1 lowercase
min 1 digit
min 1 punctuation
Or as in email scanners that removes all EXE, BAT etc. from attached
ZIP files in inbound email.
Arne
longer passwords.
Not sure where it is in the approval process but we talked about
allowing entire sentences (paragraphs?) as passwords and eliminating
the need for non-alpha characters.
Complex passwords are not that much harder to crack.
Not if you are in a position to use brute-force. Most computers today
have all the horsepower needed to just try every possible character.
After all, there are less than 128. :-)
agree with me.
I was agreeing with you. I was stressing that there are a max of 128
characters and if you have the encrypted string so that you can try
every possible combination against it, even complex passwords can be
broken. (Think distributed cracking on thousands of machines!)
Anyway, according to the article referenced, anything 10
or more chars long, NOT complex, is all but uncrackable.
I find that hard to believe. The amount of computing resources available
today is mind boggling. Look at the size of the cluster used to render
the graphics for the movie "Ice Age". Or, what about all those machines
doing SETI@Home. And what about all the machines that have been infected
with the virus dujour. What if instead of spreading SPAM they were all
coordinated to break a password?
I think he should have offered $1000 instead of $100, though.
True, but you don't need to crack everyone's password.
Most characters will be lowercase.
Not always. :-)
Arne listed punctuation as a required character, so I was commenting on
Puncutation will almost certainly be
limited to periods, hyphens, and commas.
that.
Well, that was probably a slight mis-statement. We can blame language
as I don't think English is his first. :-)
What the chart should say is:
* It must be at least 10 characters
* It must contain at least 2 special characters: !@#$%^&*_-+=':;.,
* It must contain at least 2 numbers
* It must contain at least 2 uppercase and 2 lowercase letters
* It must not be one of your last 10 passwords.
* It is case sensitive
You'd have to if the password software enforced it according to the
I do not now and have never (up to this point, at least) used any of
those characters.
rules given by Arne above!
See actual rules just above.
Well, I assume here that the hacker has somehow obtained a backup tapeThis greatly reduces the total
number of possible combinations comapred to a random character for each
character. Hackers already know this trick.
The biggest safeguard is not providing a way to use a brute force attack.
Unfortunately, this brings up another whole issue. Use of brute force
to cause a DOS.
or something similar. Well, I also assume that one can't quickly try
millions of combinations over the network, especially if your target
has break-in evasion set up.
Thus my comment about DOS.
Well, it's certainly not going to reduce the number of people who write
If you sit down and calculate it, you'll find that complex passwords
aren't worth the trouble (I'll post some numerical examples later when
I have more time). Some say that users will write down passwords
anyway. (So why lock your door? Burglars will get in anyway!) I say
*more* users will write down complex passwords and they'll hate it a
lot more than adding a few characters to the minimum length.
I have no statistics to back it up, but I don't agree. I think
people who are likely to write down their password are as likely
to do it no matter what the length. Unless you let them use
something that is easily guessed anyway.
down passwords!
Or choke on it!!!You'll
probably also get more help desk calls for complex-password resets.
Here's an article from infoworld (I can't find the original articles
right now, I'll post them later).
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/06/11/10/46OPsecadvise_1.html
I've seen passwords with zeros for O's and 3's for E's. What hacker
could break through this fortress of security? Trying zeros for O's and
3's for E's? What hacker ever think of that?
With your toungue pushed so far into your cheek be careful you don't
bite it. :-)
Yeah, I overdid it. I was thinking of a Seinfeld shtick in his book,
"Sein Languange" where he talks about the stupid security things people
do, like park in NYC with a TV in the back seat and cover it with a
sweater. "It's just a sweater, except that it's square and has an
antenna sticking out of it", he says. Or putting your wallet down by
the toes in your sneakers when you go to the beach. "What criminal mind
can penetrate this fortress of security?" he says. Etc.
Additionally, I admit that my posts this morning were poorly written. I
was in a hurry and perhaps need to catch up on sleep!
On further thought, many people would capitalize the first letter and
This is like a mild speed
bump where as increasing the length a few characters is more like huge
mountain. It's like putting your wallet in the toe of your sneaker as
you go into the water at the beach. Yes, it incerases the total
possible number of passwords, but not by much. See the link I provided
for more detail.
Thus the reason for the suggestion above. I hope it gets approved soon.
use a number for the last char. That actually *reduces* the possible
number of combinations!
It's x**L, and L is your friend.
Don't understand this. The suggestion I was talking about was allowing
really long passwords like sentences. Even given that they would be
made up of dictionary words, I think they would be very difficult to
break. Of course, the better way is no password. Using my CAC is the
safest way. Then you have to steal my CAC, know what username it
actually works with and have access to a machine that will accept it.
bill
--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
bill@xxxxxxxxxxxxxxx | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
.
- References:
- Re: US Military bans HTML in emails
- From: David J Dachtera
- Re: US Military bans HTML in emails
- From: Bill Gunshannon
- Re: US Military bans HTML in emails
- From: David J Dachtera
- Re: US Military bans HTML in emails
- From: Arne Vajhøj
- Re: US Military bans HTML in emails
- From: AEF
- Re: US Military bans HTML in emails
- From: Arne Vajhøj
- Re: US Military bans HTML in emails
- From: AEF
- Re: US Military bans HTML in emails
- From: Bill Gunshannon
- Re: US Military bans HTML in emails
- From: AEF
- Re: US Military bans HTML in emails
- Prev by Date: Re: Gee, as if I did not already know this ...
- Next by Date: Re: What method(s) to connect to VMS from Mac OS X through X11?
- Previous by thread: Re: US Military bans HTML in emails
- Next by thread: Re: US Military bans HTML in emails
- Index(es):
Relevant Pages
|
