LQ Suggestions & FeedbackDo you have a suggestion for this site or an idea that will make the site better? This forum is for you.
PLEASE READ THIS FORUM - Information and status updates will also be posted here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
1. Create a subforum that covers topics (like this very message) that relate to the Forum itself.
2. In checking password validity, consider both the presented password and the same password with the CapsLock key inverted. That would be a convenience for the absent-minded without noticeably impacting security -- a factor of 2 in guesswork isn't worth much.
Your password idea, wouldn't that be of great help to other people trying to guess your password?
Not really. Even with smart guessing, the number of possible passwords is so large that reducing it by a factor of 2 wouldn't help much.
Just the requirement of a 15-minute wait after 5 wrong guesses will defeat any exhaustive-search method. if someone can reduce the number of possible passwords to, say 20, it's not much harder to make 40 guesses as 20 guesses.
Am I missing something with that factor of 2 bit? If you just stick to case insensitive letters and (for example) a 6 character password the number of possiblities is 26x26x26x26x26x26 = 308,915,776. If you have case sensitive passwords you double the possibilities for each letter (not just the overall) which is 52x52x52x52x52x52 = 19,770,609,664
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,602
Rep:
As indicated, #1 exists. We have no plans to implement anything similar to #2. The way your password is encrypted in the database, it wouldn't even be possible. Thanks for the feedback.
I guess I wasn't clear about my proposal. Capslock inverts all letters, both lowercase and uppercase. Suppose I have the password AbcDe. Then the password aBCdEand no other is also legitimate. So the number of guesses is halved but not reduced by more than that since every password has exactly one acceptable equivalent.
I wonder how many people have passwords that are guessable without brute force. Even assuming a naive user and a foolish password choice, there might be 20 or 30 obvious possibilities, and everything beyond those would require brute force - even a dictionary attack.
Dictionaries are vicious attackers which exert brute force. My big toe remembers one attack that happened last week. Unfortunately that was not the CD version of the Harraps dictionary.
Dictionaries are vicious attackers which exert brute force. My big toe remembers one attack that happened last week. Unfortunately that was not the CD version of the Harraps dictionary.
My idea about capslock and passwords reminded me of a thought I had about ATM machines. Probably most people have had the experience of inserting the card the wrong way and not realizing for a moment why it doesn't work. Could it be that hard (or expensive) to design ATM machines so that they work no matter what the orientation of the inserted card (with multiple sensors, presumably)?
Last edited by pwabrahams; 12-14-2007 at 10:25 AM.
Reason: remove inaccurate info
I guess I wasn't clear about my proposal. Capslock inverts all letters, both lowercase and uppercase. Suppose I have the password AbcDe. Then the password aBCdEand no other is also legitimate. So the number of guesses is halved but not reduced by more than that since every password has exactly one acceptable equivalent.
I wonder how many people have passwords that are guessable without brute force. Even assuming a naive user and a foolish password choice, there might be 20 or 30 obvious possibilities, and everything beyond those would require brute force - even a dictionary attack.
I don't know of any website that allows incorrect caps with passwords- they're always case-sensitive. However, LQ, just like the rest, has a link to click if you've forgotten your password, so you really don't have to keep guessing. My personal solution- I don't log out.
EDIT: As a side note, it would also be much easier to add a routine so that ABCDE, abcde, etc. would also work, rather than just the inverse of the correct values.
Cheers
Last edited by DragonSlayer48DX; 12-14-2007 at 09:26 PM.
or remind people (like windows, ugh) that they may have their capslock key on- but that's something I check first when I don't put my password in correctly.
or remind people (like windows, ugh) that they may have their capslock key on- but that's something I check first when I don't put my password in correctly.
TG
ROFL
That was a real pet-peeve for me with windows- always treating you like a total idiot. I didn't appreciate the need to click through 2+ layers of confirmation to get it to follow instructions. Linux, on the other hand, expects you to know what you're doing, or be willing to figure out what you did wrong and fix it.
ROFL
That was a real pet-peeve for me with windows- always treating you like a total idiot. I didn't appreciate the need to click through 2+ layers of confirmation to get it to follow instructions. Linux, on the other hand, expects you to know what you're doing, or be willing to figure out what you did wrong and fix it.
I agree in general that systems like Windows that try to guess what you meant and get it wrong all too often are a pain in the butt. But in this particular context there's little to be lost, assuming my view of the security issue is correct.
The question of whether Linux should expect you to know what you're doing goes to the heart of a controversial issue: is Linux supposed to be a replacement for Windows for all users or only for sophisticated users? If Linux is supposed to be usable by people of average intelligence with no particular interest in computers, then perhaps Linux shouldn't make that assumption. If you assume a sophisticated user, then it should. Is Linux intended to be a system for the masses, or not?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
