[Discuss] A Little OT: The Password Post-It
jc at trillian.mit.edu
jc at trillian.mit.edu
Wed Apr 18 16:58:01 EDT 2012
Drew Van Zandt wrote:
| I think if I were designing the perfect password requirements, it would
| look something like:
| * IT has a password-crack server with a good dictionary, which includes
| names, sports teams, etc., all the trimmings a good password crack attempt
| needs.
| * No stupid password rules, but the server rolls through and tries to crack
| passwords, with a focus on new/recently changed passwords. If it finds it,
| user has to change their password.
Some years ago, I worked on a project where we decided to do this. I
collected a number of password-cracker programs, and wrote a little script to
feed them all the encrypted passwords in the /etc/passwd file. The users
would get messages of the form "Your password is so weak that we decoded it
in $t seconds. Your password is: $pswd. We suggest that you change it."
This was fairly effective, actually. Except with managers. ;-)
But it does nothing about the general problem of our growing lists of
passwords, each satisfying a different set of rules for a different account.
This is the problem that forces users to write passwords in a location that
they can easily get at when they need a password. As long as this is true,
security of the passwords themselves will continue to be somewhat irrelevant.
--
The fewer jobs a tool is designed to do, the better it does each of them.
_'
O
<:#/> John Chambers
+ <jc at trillian.mit.edu>
/#\ <jc1742 at gmail.com>
| |
More information about the Discuss
mailing list