http://www.village-elder.com/blog/ Village Elder - Why do you seek the Village Elder? en Serendipity 1.1 - http://www.s9y.org/ blog@village-elder.com blog@village-elder.com Fri, 05 Sep 2008 19:57:51 GMT http://www.village-elder.com/john.village-elder.jpg http://www.village-elder.com/blog/ 100 109 http://www.village-elder.com/blog/archives/9-Great-comments-from-Computer-Defence.html#c10 http://www.village-elder.com/blog/archives/9-Great-comments-from-Computer-Defence.html#comments http://www.village-elder.com/blog/wfwcomment.php?cid=9 john@village-elder.com (John Curry) Great Stats Igor! Thanks for sharing! Tue, 13 Mar 2007 08:50:34 -0500 http://www.village-elder.com/blog/archives/9-guid.html#c10 http://www.village-elder.com/blog/archives/9-Great-comments-from-Computer-Defence.html#c9 http://www.village-elder.com/blog/archives/9-Great-comments-from-Computer-Defence.html#comments http://www.village-elder.com/blog/wfwcomment.php?cid=9 john@village-elder.com (Igor Drokov) Talking about passprase-based passwords, there is a report published in 2000 on "The memorability and security of<br /> passwords – some empirical results" based on the study of 400 first-year students at the University of Cambridge. The report provides some interesting data, e.g.:<br /> <br /> "The summary of the number of cracked passwords is as follows (with brute-force attacks treated separately):<br /> <br /> - Control group 30 (32%) +3 brute force<br /> - Random password group 8 (8%) +3 brute force<br /> - Passphrase group 6 (6%) +3 brute force<br /> - Comparison sample 33 (33%) +2 brute force"<br /> <br /> Full report: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-500.pdf Tue, 13 Mar 2007 08:37:28 -0500 http://www.village-elder.com/blog/archives/9-guid.html#c9 http://www.village-elder.com/blog/archives/7-A-realistic-approach-to-creating-very-strong-passwords.html#c8 http://www.village-elder.com/blog/archives/7-A-realistic-approach-to-creating-very-strong-passwords.html#comments http://www.village-elder.com/blog/wfwcomment.php?cid=7 john@village-elder.com (John Curry - on behalf of Jordan) The comment below was valiantly attempted to be posted here only to fail because I haven't worked out all my blogging mojo yet. Jordan sent this in with another great link on password policy. Thanks Jordan, I think I have this sorted now <img src="http://www.village-elder.com/blog/templates/default/img/emoticons/smile.png" alt=":-)" style="display: inline; vertical-align: bottom;" class="emoticon" /> -john<br /> ---<br /> That's a great writeup. We recommend something similar, though without <br /> quite as much detail on our password page at the University of Florida:<br /> <br /> http://infosec.ufl.edu/athome/passwords.shtml<br /> <br /> Thanks for the explanation. Thu, 01 Mar 2007 17:50:18 -0600 http://www.village-elder.com/blog/archives/7-guid.html#c8 http://www.village-elder.com/blog/archives/8-To-sudo-or-not-to-sudo.html#c7 http://www.village-elder.com/blog/archives/8-To-sudo-or-not-to-sudo.html#comments http://www.village-elder.com/blog/wfwcomment.php?cid=8 john@village-elder.com (Keri) You know your sudo command always worked on me =) Miss you tons! <strong>hugs</strong> Thu, 01 Mar 2007 07:28:23 -0600 http://www.village-elder.com/blog/archives/8-guid.html#c7 http://www.village-elder.com/blog/archives/8-To-sudo-or-not-to-sudo.html#c6 http://www.village-elder.com/blog/archives/8-To-sudo-or-not-to-sudo.html#comments http://www.village-elder.com/blog/wfwcomment.php?cid=8 john@village-elder.com (Ricky) I think, when properly applied, the sudo command can have a dramatic effect on lunch. Wed, 28 Feb 2007 10:19:07 -0600 http://www.village-elder.com/blog/archives/8-guid.html#c6 http://www.village-elder.com/blog/archives/7-A-realistic-approach-to-creating-very-strong-passwords.html#c5 http://www.village-elder.com/blog/archives/7-A-realistic-approach-to-creating-very-strong-passwords.html#comments http://www.village-elder.com/blog/wfwcomment.php?cid=7 john@village-elder.com (John Curry) Thats a good point Wilbur! Perhaps it's too much to say this method will create 'very strong' passwords. I know that I have seen some pretty ugly passwords in the field. Often terrible things like:<br /> <br /> baseb@ll<br /> r1234<br /> mypass<br /> <br /> Eeeks, keeps me up at night! I think compared to passwords of that level the technique I propose would fair pretty well.<br /> <br /> I certainly wouldn't suggest any of the standard 3l173or 'elite' character replacements, they are just to common now, and I always feel dirty when I think about using them.<br /> <br /> If anyone can use this technique to beef up their passwords a few notches in the right direction, then I think my work is done.<br /> <br /> Perhaps I'll do a follow up post on how to create 64 character passwords for the non mensa member <img src="http://www.village-elder.com/blog/templates/default/img/emoticons/smile.png" alt=":-)" style="display: inline; vertical-align: bottom;" class="emoticon" /><br /> <br /> That gives me another idea. password olympics! I think I'll see about setting up some cracking tools to test who's 8 character password hold out the longest. hrm.. let me look into that! Wed, 28 Feb 2007 08:45:33 -0600 http://www.village-elder.com/blog/archives/7-guid.html#c5 http://www.village-elder.com/blog/archives/7-A-realistic-approach-to-creating-very-strong-passwords.html#c4 http://www.village-elder.com/blog/archives/7-A-realistic-approach-to-creating-very-strong-passwords.html#comments http://www.village-elder.com/blog/wfwcomment.php?cid=7 john@village-elder.com (Wilbur) Have you performed any analysis of the passwords, perhaps with common phrases? It's easy to suggest that they are strong but I think that there are a lot of letters that are not as commonly the first letter of a word in a phrase. Some simple analysis could show the distribution.<br /> <br /> There are already password attackers that factor all the "elite" speak letters and numbers in, they don't increase the distribution nearly as much as you might think. Wed, 28 Feb 2007 07:22:50 -0600 http://www.village-elder.com/blog/archives/7-guid.html#c4 http://www.village-elder.com/blog/archives/7-A-realistic-approach-to-creating-very-strong-passwords.html#c1 http://www.village-elder.com/blog/archives/7-A-realistic-approach-to-creating-very-strong-passwords.html#comments http://www.village-elder.com/blog/wfwcomment.php?cid=7 john@village-elder.com (Brian) Check out "rainbow table attacks", which have effectively made your 8-character password obsolete (save for in systems that salt their hashes, such as Unixes). Now I take the type of passwords you talk about, and string two together separated with punctuation. Thus, I would use<br /> What the f is your problem<br /> (W7f1urPr0b)<br /> with<br /> This ain't my momma's cookin'<br /> (T8ntMm'scKn)<br /> and turn it into<br /> W7f1urPr0b#T8ntMm'scKn<br /> <br /> (hypothetically...) Wed, 21 Feb 2007 09:16:14 -0600 http://www.village-elder.com/blog/archives/7-guid.html#c1