[ale] password management

Transam bob at verysecurelinux.com
Wed Jul 23 15:35:04 EDT 2003 

On Wed, Jul 23, 2003 at 02:32:49PM -0400, J.M. Taylor wrote:

> Jonathan Rickman said:
> > On Wednesday 23 July 2003 12:00, J.M. Taylor wrote:


> > Internal hostnames are not always the same as published dns records.
> > Insiders might have a slight edge, but they would have to know that you
> > are  actually using the hostname. I do not actually use the hostname.
> > Just  providing an example.

> Of course you don't, I think I asked my question badly per ususal. :)

> Let's take any string that's common to any set of passwords (ie, some
> systems use the username as a salt, or some such), my question is more --
> does it matter in a brute-force or even educated-guess type attack?  Or is
> the complexity of
> secret_thing<concat>special_characters<concat>common_string<concat>month

If I obtain the encrypted password, this probabl could be cracked in a
week or two of GHz computrons.  If an attacker has a 1000 stealth
compromized systems to churn with, he gets must faster results.

> enough to foil those kinds of attacks? It certainly *seems* safer than me
> making up a longish random password that I have to write down until it's
> memorized...

Is it safer?  You're comparing the "crackability" of a password against
the physical security of a handwritten password.  Someone who would try
to physically enter my secure offices or remove my wallet probably is
carrying a gun.  The only such person would be a professional infiltration
of one of my larger clients.

He simply will point a gun to my head and security will be compromized.  
A "two-bit" mugger won't bother with slips of paper with "gibberish" on
them.  That's sufficient security for all but the most demanding needs.

> jenn
Bob

> -----------------
> A lesson in computer security from Richard Feynman, circa 1943

> 'I'd keep complaining that the stuff was unsafe, and although everybody
> *thought* it was safe because there were steel rods and padlocks, it didn't
> mean a damn thing.

> To demonstrate that the locks meant nothing, whenever I wanted somebody's
> report and they weren't around, I'd just go into their office, open the
> filing cabinet, and take it out.  When I was finished I would give it back
> to the guy: "Thanks for your report."

> "Where'd you get it?"

> "Out of your filing cabinet."

> "But I *locked* it!"

> "I *know* you locked it.  The locks are no good."

> .......

> Finally some filing cabinets came which had combination locks....  These new
> filing cabinets were an immediate challenge, naturally.  I love puzzles. 
> One guy tries to make something to keep another guy out; there must be a
> way to beat it!'

> -- Richard Feynman, "Surely You're Joking, Mr. Feynman!"
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list