Passwords --was-- Re: [BC] Can't solve it if you don't know about it
Cowboy
curt
Mon Jul 31 08:21:44 CDT 2006
On Sunday 30 July 2006 09:36 pm, Barry Mishkind wrote:
> At 05:31 PM 7/30/2006, Rockwell Smith wrote
> >All employees, full or part time, have company e-mail, but.... many
> >cannot access it because they seem to get locked out of their
> >accounts because they forget their passwords.
>
> Then you don't want to hear about the station
> I was in last month where the login and password
> (a lengthy line of letters and numbers) were
> taped to the studio monitors???
This is exactly why lengthy strings of random characters are a
really bad idea.
Posted passwords are, in effect, no password at all !
This is as bad as passwords like "password" or "123go" !
Pass-phrases are MUCH better, provided they aren't too obvious.
Even better, are apparently random strings derived from a
pass-phrase, something like MBWbiO14 derived from
My beloved wife's birthday is October 14.
This has the double-advantage of reminding one to buy that
birthday present !
A fair "generic" pasword would be something like the first and
last letter of each word in the station slogan, in order, and including
at least one real word.
These things are easy to remember, yet difficult to decipher if
one is not familiar with station operations, or the details of an
individual's life.
Also good are seemingly random combinations of words.
Things like spatula&motorcar
Enough characters to be secure, no apparent relationship between
the words, and a "random" character separator.
Of course, for the personality who's password was her own surname,
and she managed to forget it at least once a week, there is no hope !
A forgotten password for a critical system, because it was a long string
of unguessable random characters for "high" security can be much, much
worse than no password at all when that system goes down !
Remember, most crackers will try a dictionary attack first.
Simply trying the more obvious permutations in common use, like
password, PaSsWoRd, Passw*rd, letmein, letmein45, root, toor, etc.
followed by a "brute force" ( if they're REALLY determined ) automated
generation of so many random characters, usually from 1 to 14 ( because
that was a common limit for Microsoft for MANY years ) characters,
until they hit one that works.
Brute force generators will filter and skip actual words, because it's
well known that the common "random" password web sites don't
generate real words.
Therefore, pass-phrases and common words in uncommon combinations
are FAR more secure than long strings of "random" characters.
They won't be in the dictionaries, and it'll take a brute force attack years
to hit that "random" combination, *if* it's been reprogrammed to
include real words !
If you've got a cracker after you that is THAT determined, you've got worse
problems than simple net scans, and weekend visitors !
Obvious passwords are bad, but strings of characters so complex they
get written down are MUCH worse !
In an air studio, where "talent" isn't know for good password retention,
I'd be using something like the first and last letter of the names, both
first and last names, of each person on the morning show.
Use their real names, not their air names, including at least one real word,
and it seems that's about as good as it gets.
In a data processing center, or the IT department, if one wishes to get REALLY
secure, AND one can assume some degree of intelligence on part of the
authorized people, passwords that change with time of day, and date, are
almost impossible to crack, unless it's too obvious. Even then, a cracker
has to know that this happens in that IT center.
Simple, yet really secure, passwords are possible, but they are not
random character generators !
--
Cowboy
More information about the Broadcast
mailing list