|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Consumer Security Web Site
From: Tyson Leslie (Leslie.Tyson
colteng.com)
Date: Wed Jun 30 2004 - 09:19:39 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
There's an excellent article on passwords on the Security Focus web site -
http://www.securityfocus.com/infocus/1554
We have been pushing phrases or sentences for passwords for a while. Not
only are they typically easy to remember, they are usually easier to type
than a complex 6 or 8 character password, and when users find out that they
can use spaces and separate words, passwords end up being longer anyway.
The harder a password is to type, the easier it is to watch someone type it,
and the more complex it is, the greater the chance that a user will write it
down somewhere convenient.
It takes just as long to type "how are you doing" as it does to type
"w!|\|D0w$" or "_s33d0n7H", and one of them is sure easier to remember and
type than the others...
Tyson.
-----Original Message-----
From: Mike [mailto:mikesuperiorholidayadventures.ca]
Sent: Wednesday, June 30, 2004 6:32 AM
To: Sullivan Tim P; focus-mssecurityfocus.com
Subject: RE: Consumer Security Web Site
I agree, but it's a very good start and that's what it's intended for.
Here's a snippet from the site:
"The best way to use this generator is to take its output it in ways known
only to you. Make some letters capital, or insert punctuation and numbers."
"Note also that static or reusable passwords are obsolete. If you have a
choice of authentication methods, look for a stronger method than
passwords."
The author of this software knows that the passwords generated are insecure
and has explicitly stated his thoughts on *directly* using the passwords
generated by this program.
If the user of this software can create an easily pronounceable, and
therefore easily remembered, password and then mixes in some numbers and
capitalization you will end up with a relatively secure password.
For example, replace letters with hax0r sp33k and capitalize the last letter
and underscore the beginning. We'll do this with 'seedonth', which was
generated from the site. Using the above method you end up with "_s33d0n7H"
which fits your requirements for brute force attack resistance. If a user
uses *their own* method of obfuscation with an easily pronounceable
password, the password can both be (relatively) secure and easily
remembered.
I'm sure the code supplied on that webpage could easily be extended to use
10 character passwords and to use similar methods of password obfuscation.
Sincerely,
Mike Fetherston
> -----Original Message-----
> From: Sullivan Tim P [mailto:timnativemode.com]
> Sent: Wednesday, June 30, 2004 2:03 AM
> To: Mike; focus-mssecurityfocus.com
> Subject: RE: Consumer Security Web Site
>
> Hi Mike,
> The link below does not generate the greatest of passwords, from a
> security standpoint.
>
> When I tried the link, it generated passwords that were simple, all
> lowercase characters. As a rule of thumb, you want passwords to have
> uppercase, lowercase, numbers, and special characters, and be at least
8
> characters long.
>
> Passwords like the one that tool generates would take literally
minutes
> with a bruteforce cracker on todays standard hardware.
>
> Just my thoughts.
>
> Thanks,
> Tim
>
>
> -----Original Message-----
> From: Mike [mailto:mikesuperiorholidayadventures.ca]
> Sent: Tuesday, June 29, 2004 11:52 AM
> To: James D. Stallard; David Harper; focus-mssecurityfocus.com
> Subject: RE: Consumer Security Web Site
>
> I find this resource:
>
> http://www.multicians.org/thvv/gpw.html
>
> generates the easiest to remember random passwords. I can still
> remember passwords that I've generated with this tool.
>
> Mike.
>
> > -----Original Message-----
> > From: James D. Stallard [mailto:jamesleafgrove.com]
> > Sent: Monday, June 28, 2004 5:25 PM
> > To: 'David Harper'; focus-mssecurityfocus.com
> > Subject: RE: Consumer Security Web Site
> >
> > David
> >
> > Top Idea, this certainly qualifies as 'A Good Thing'.
> >
> > My 2 cents is "how to pick a decent password"
> >
> > There are lots of myths out there on what qualifies as a good
password
> and
> > while all us techies would love our users to pick something really
> complex
> > (read "nasty") the fact remains that they would rather pick the name
> of
> > their dog or football team. So, a few tips on choosing something
easy
> to
> > remember and hard to crack, and obfuscating their dogs name might be
> nice
> > :)
> >
> > Most of my work is Active Directory design related, so a few tips on
> using
> > GPOs for improving security and securing DNS services would be nice.
> > Perhaps
> > you couls really push the boat out and put in some stuff about
> Delegation
> > of
> > Administration!
> >
> > Cheers
> >
> > James D. Stallard
> > Active Directory and Infrastructure Technical Architect Leafgrove
> > Limited
> >
> >
> > -----Original Message-----
> > From: David Harper [mailto:david.harperthermon.com]
> > Sent: 28 June 2004 16:50
> > To: 'focus-mssecurityfocus.com'
> > Subject: Consumer Security Web Site
> >
> > All,
> >
> > I'm putting together a web site for home and small office computer
> users
> > to
> > address computer and small network security. I'm hoping to
eventually
>
> > have a one-stop site where non-technical consumers can get all the
> information
> > they need to protect their home and small office systems.
> >
> > So far I'm planning sections on Viruses/Worms/Trojans, Spam,
Identity
> > Theft, Cyberstalking, Hacking, Spyware and Adware. Each section is
to
>
> > cover
> the
> > basics (what it is, how to remove/prevent it, etc.) in a
> non-technical,
> > friendly-to-the-average-home-user way. I'll also include links to
> sites
> > like Windows Update and other free tools, with a strong admonition
> that
> > their computer be checked and patched - now.
> >
> > I'd like to get input from the list on any other sections to include
> on
> > the
> > web site. What do you see as the most glaring gaps in end-user
> knowledge?
> > What information, tools, links, etc., would best enable them to
secure
>
> > their systems easily against the most common threats? Also, I'm
> > gearing
> this
> > toward Microsoft simply because 1) Microsoft runs the vast majority
of
>
> > home/small-office computers, 2) Those using Linux are already pretty
> > computer savvy, and this site is for the novice. Should I expand
the
> > focus?
> > Include MACs? What about the buzz on cell phone viruses? Should
cell
>
> > phone security and privacy issues be included, as well?
> >
> > Please keep in mind that this site is for the novice, so
explanations
> of
> > elliptical curve cryptography probably won't fly. I just want to
make
> it
> > as
> > easy as possible for the non-technical user to stay up to date.
> >
> > Your input is greatly appreciated!
> >
> > Thanks,
> > David
> >
> >
>
------------------------------------------------------------------------
> --
> > -
> >
>
------------------------------------------------------------------------
> --
> > -
> >
> >
> >
> >
> >
>
------------------------------------------------------------------------
> --
> > -
> >
>
------------------------------------------------------------------------
> --
> > -
>
>
>
------------------------------------------------------------------------
> ---
>
------------------------------------------------------------------------
> ---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]