tim at cliftonfarm.org
Sat Feb 12 12:25:07 EST 2011
I've often wondered why those anti-spam word jumble graphics haven't
been deployed on logins as a measure against automated login attacks.
Certainly not foolproof -- and may pose accessibility issues for some --
but if there's one place where I'd like to maximize the probability that
an actual human is providing the input it's during authentication.
On Sat, 2011-02-12 at 11:47 -0500, Michael H. Warfield wrote:
> On Sat, 2011-02-12 at 11:04 -0500, Drifter wrote:
> > the recent chatter about network security has, mostly, skirted around the
> > password problem. Too many web sites that need strong security restrict
> > passwords by length, or character set, or both. So also do many corporate
> > web sites. Software exists that can generate random alphanumeric
> > passwords, but they routinely suffer the same fault: being difficult to
> > remember, users end up with notes taped to monitors, voiding the security.
> > For the past decade or so I have been recommending that computer users
> > pick out several favorite poems/songs and use them to generate passwords.
> > For example, fans of mathematics might reach for Lewis Carroll:
> > The time has come, the Walrus said, to talk of many things,
> > which would generate the short password <tthctwsttomt>, which munged just
> > a little bit becomes <TthctW5ttomT>.
> > or perhaps,
> > ’Twas brillig, and the slithy toves
> > Did gyre and gimble in the wabe
> > which would generate <tbatstDgagitw>
> > English majors might prefer something from "The Love Song of J. Alfred
> > Prufrock":
> > In the room the women come and go,
> > Talking of Michelangelo.
> > Or the opening of "A Tale of Two Cities":
> > It was the best of times, it was the worst of times;
> > I do not, for obvious reasons, ever suggest the song
> > "All I want for Christmas is a hippopotamus." :)
> > The people I advise do not understand the need for encryption, so the
> > topic of pass phrases does not usually come up. Memorable quotations from
> > obscure works are ideal, but all too often are not considered.
> > I wish that financial institutions would lift restrictions on password
> > length and complexity, but that would, almost certainly, entail reworking
> > a poorly crafted database.
> What this doesn't solve is the shear mind numbing number of passwords we
> have to remember. A recent security report indicated that after one
> breakin and compromise of a huge password database, numerous other sites
> were broken into via the cracked passwords and accounts. They had
> reused their passwords on sites everywhere from silly games to social
> networking to banking. I have several hundred unique passwords to
> different sites, all different and all random. Some sites I haven't
> visited in over a year (bugzilla's and listservs mostly). They're stored
> in the password manager Revelation (which, I know, even though the
> database is AES-256 encrypted, they didn't to the most optimal job of
> seeding an implementing the encryption on the safe) with the database
> stored on an encrypted file system. It takes a very long, very strong
> passphrase to decrypt it. Once it's open, it's a quick cut-n-paste into
> a site and FF seems to clear the cnp buffer once a password has been
> used so there's little risk from cnp reuse. Also inhibits shoulder
> surfing and keystroke timing attacks (for those services that might be
> subject to keystroke timing sniffing).
> Even federated ID systems, such as SecureID have come under attack as
> well as some 2-factor authentication such as SecureID, cell phone text
> system, and even smart cards. A one time password system such as S/KEY
> or OPIE would be nice, but I don't see any becoming popular anytime
> soon. Short of that, a well protected password safe that convenient to
> use with a good password generator is about the best you can hope for.
> > Sean
> Ale mailing list
> Ale at ale.org
> See JOBS, ANNOUNCE and SCHOOLS lists at
More information about the Ale