Your Password SUCKS!
Oct. 20th, 2005 11:52 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ibnekohttp://www.livejournal.com/community/lj_support/590322.html
Your password sucks!
We've just done a code push, which includes the new function we've been cheerfully calling the "your password sucks" module. This provides an update to our sucky-password-checking module, and an option (currently disabled) that will force anyone with a password that sucks to change that password before they can do anything else on the site. And I do mean anything.
Hehe.
I still need to change passwords for a large majority of sites I use. Still, mine is not brute-forceable (eh, meaning you can'd take a dictionary, and try word by word.) And all of my passwords are generated based on random keyboard pounding, then rotated into a more comfortable string to type. With numbers. I should also add punctuation, for those sites and places that accept it... Sadly, I tend to reuse several password for everything over one time period, although always combined with modifications based on various things. This is a Bad thing.
A better password scheme would be to let the server pick several random number, then you have to respond with the correct numbers in response, based off an equation or something of your choosing. Although this massively slows down things, and people aren't good at adding sometimes... nevermind, that wouldn't work. We're not computers. Maybe some sort of smartcard..... enter the numbers on that, and it'll give you the numbers to enter back.. but the smartcard can be stolen. Hmm. Add a fingerprint based calculation to that. Yeeeah. Something like that. So Computer-generated Challenge -> smartcard's internal equation * fingerprint -> Smartcard response
Your password sucks!
We've just done a code push, which includes the new function we've been cheerfully calling the "your password sucks" module. This provides an update to our sucky-password-checking module, and an option (currently disabled) that will force anyone with a password that sucks to change that password before they can do anything else on the site. And I do mean anything.
Hehe.
I still need to change passwords for a large majority of sites I use. Still, mine is not brute-forceable (eh, meaning you can'd take a dictionary, and try word by word.) And all of my passwords are generated based on random keyboard pounding, then rotated into a more comfortable string to type. With numbers. I should also add punctuation, for those sites and places that accept it... Sadly, I tend to reuse several password for everything over one time period, although always combined with modifications based on various things. This is a Bad thing.
A better password scheme would be to let the server pick several random number, then you have to respond with the correct numbers in response, based off an equation or something of your choosing. Although this massively slows down things, and people aren't good at adding sometimes... nevermind, that wouldn't work. We're not computers. Maybe some sort of smartcard..... enter the numbers on that, and it'll give you the numbers to enter back.. but the smartcard can be stolen. Hmm. Add a fingerprint based calculation to that. Yeeeah. Something like that. So Computer-generated Challenge -> smartcard's internal equation * fingerprint -> Smartcard response
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-10-20 05:45 pm (UTC)If a cracker gets to the point where brute-forcing is an option, the system is already compromised. Which is why I think password-security is overhyped. Aside from "God", "password", $username, 0123456789 and a few other favorites, most passwords are sufficient as long as they're kept secret. Everyone is much more vulnerable to key-logging, leaving private information on a public terminal, roommate-peeking, and phishing than to brute forcing.
That said, passphrases are my preferred method of secure-password generation. For example,
This passphrase is well-nigh impossible to brute force.
Is a totally secure passphrase. Under current attack searchspace algorithms, it's virtually uncrackable. If passphrases become more popular, the old brute-force algorithms and pre-computations can be adapted to attack them, they won't hold up quite as long, but even then they're pretty strong.
no subject
Date: 2005-10-20 08:33 pm (UTC)Oh, don't forget "trust" and "trustme".
Mmmm, yeah. The only problem is, many places doesn't accept " " characters in passwords, as well as many other things. And length is limited. Quite stupid, really, but hey, what can you do.
no subject
Date: 2005-10-20 06:43 pm (UTC)no subject
Date: 2005-10-21 08:39 am (UTC)