LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-05-2006, 04:47 PM   #1
ayteebee
Member
 
Registered: Jul 2005
Location: Derbyshire
Distribution: Originally Suse 9.1 Professional, currently Knoppix 3.7, migrating to Slackware
Posts: 75

Rep: Reputation: 16
Wrong end of the stick with passwords?


I just want to point out something about passwords. If I'm completely wrong, please re-educate me, I'm only a noob!

Here are some recommended password selection guidelines:

- Your password must contain letters and numbers, preferably some different-caps letters, and be as random as possible (something like oFn643AKu would be good).
- Your password must contain at least six characters.
- Your password must be changed every few weeks.

I propose that these protocols are actually extremely bad for security.

How exactly, does a long, complicated password help? Asking somebody [remember, they're probably a non-geek] to remember a long and complicated password is naive. They're going to write it down. And stick it to the bottom of their keyboard. Where someone potentially malicious could quite easily get it. Kabam, security compromised. The thing is, making people change their passwords often will actually make them more likely to write it down, because they'll just not bother to learn it.

Having a complicated password will not even be much use against computer hacking programs - Assuming it uses a dictionary look-up system first to get the obvious words, having a random password will take it what? Two minutes to crack it instead of one? W00t. However, here is the only place where the minimum character limit is effective - as the possible number of combinations to be tried by a password-cracker increases with 62^n where n is the number of characters (on a case-sensitive system, 36 on a case-insensitive system). For example, a one-character password could need 62^1 = 62 attempts. A two character password could need 62^2 = 3844 attempts. Longer passwords are more secure in that respect, and that's only where the number of characters is specified.

However, what happens if someone just tells their password to anyone they meet? I suppose here, it's more secure if they DON'T know the password and DO just keep it under their keyboard!

I am currently at school, here are my experience:

Our password system has just changed (new IT staff). In the old system, your password had to be at least 6 characters, needed to be changed about every 4 weeks, and could not be the same as any of the previous 4 passwords or so. That was fine for me, because I have probably about 8 passwords or so that I use. One of my friends just rotated through the days of the week. How do I know? He told me.
The new system is pretty much the same except you can't use any of the previous 21 passwords. Yes, TWENTY ONE. Result? When I've cycled through all my passwords, I'll probably just start using password1, password2 etc until I get it. Good for security? No. I wonder how many other pupils have started doing exactly the same thing already? Some of them are only in year seven for crying out loud!

MY RECOMMENDATIONS:
Teach people about what passwords do and how to get a good password. Teach people about the importance of security and how they should not tell people about their passwords. Teach them that they should change their password if they tell anyone about it. Teach them not to write it down if possible. Clamp down on people who hack people's accounts or use them illicitly.

SO WHAT IS A GOOD PASSWORD?
- Something you can remember without writing it down.
- Something not in the dictionary, about you, or meaningful to everyone (dates like 1945 for example). These are the first things a password hacker will try.
- Preferably something alphanumeric (password hackers probably just try letters first as people probably have a tendency to not use numbers).
- For someone who's mildly interested in Land Rovers for example, Britpart42 would be a good password; They'd remember it (Britpart is the official Land Rover parts supplier and 42 is the answer to life, the universe and everything in a certain Douglas Adams book), and it would be almost impossible to hack, requiring up to 8.5 x 10^17 attempts on a case-insensitive system where the number of characters in the password is undefined (That's 62^10 + 62^9 + 62^8 + 62^7 + 62^6 + 62^5 + 62^4 + 62^3 + 62^2 + 62, in case you were wondering).

Does anyone else agree with me? Sorry this is such a long post!
 
Old 02-05-2006, 05:01 PM   #2
J_K9
Member
 
Registered: Nov 2004
Distribution: Slackware 11, Ubuntu 6.06 LTS
Posts: 700

Rep: Reputation: 30
Quote:
Originally Posted by ayteebee
Having a complicated password will not even be much use against computer hacking programs - Assuming it uses a dictionary look-up system first to get the obvious words, having a random password will take it what? Two minutes to crack it instead of one?
Wrong - dictionary attacks would not be able to discover a complex password. And, as you mention below - it would take a lot of time and one heck of a lot of processing power to brute-force it. So, do I think a long and complicated password is good? Yes.
Quote:
However, what happens if someone just tells their password to anyone they meet? I suppose here, it's more secure if they DON'T know the password and DO just keep it under their keyboard!
Then that's their fault, isn't it? Or am I missing something...
Quote:
MY RECOMMENDATIONS:
Teach people about what passwords do and how to get a good password. Teach people about the importance of security and how they should not tell people about their passwords. Teach them that they should change their password if they tell anyone about it. Teach them not to write it down if possible. Clamp down on people who hack people's accounts or use them illicitly.
Good password? Fairly long, alphanumeric, different cases. Not to tell people what they are. Not to write them down. Isn't this what you were just contradicting at the top? As for clamping down on crackers - it isn't that easy...
Quote:
SO WHAT IS A GOOD PASSWORD?
- Something you can remember without writing it down.
- Something not in the dictionary, about you, or meaningful to everyone (dates like 1945 for example). These are the first things a password hacker will try.
- Preferably something alphanumeric (password hackers probably just try letters first as people probably have a tendency to not use numbers).
- For someone who's mildly interested in Land Rovers for example, Britpart42 would be a good password; They'd remember it (Britpart is the official Land Rover parts supplier and 42 is the answer to life, the universe and everything in a certain Douglas Adams book), and it would be almost impossible to hack, requiring up to 8.5 x 10^17 attempts on a case-insensitive system where the number of characters in the password is undefined (That's 62^10 + 62^9 + 62^8 + 62^7 + 62^6 + 62^5 + 62^4 + 62^3 + 62^2 + 62, in case you were wondering).
While a random password is advised, it doesn't have to be random - for example, if my name was Richard and I was born in 1986 then ChardRi8619 would be a great password (notice the reversal?).

I'm not trying to attack you, I'm just saying that the recommended method is not recommended for the wrong reasons

Cheers,

-jk

Last edited by J_K9; 02-05-2006 at 05:02 PM.
 
Old 02-05-2006, 05:07 PM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
there was something on el reg i think recently suggesting pretty much the opposite of what you're suggesting. it was suggested by a cryptographer that you should literally use a meaningless password, full of all sorts of nasty junk. use a different one in every instance. But the point was that you *could* just write them down. what's more secure - 1) remembering simpler passwords or 2) not remembering very complex ones and recording them in a secure place? if someone breaks into your house a finds the post-it(tm)(r) note with "bank - kjn2323n432, email - 23ji34j" on it... so what? it's not like it even says barclays.com... it says "bank". well, that was one expert theory, kinda like one time two factor passwords wihtout the one time part.
 
Old 02-05-2006, 05:15 PM   #4
ayteebee
Member
 
Registered: Jul 2005
Location: Derbyshire
Distribution: Originally Suse 9.1 Professional, currently Knoppix 3.7, migrating to Slackware
Posts: 75

Original Poster
Rep: Reputation: 16
Quote:
Good password? Fairly long, alphanumeric, different cases. Not to tell people what they are. Not to write them down. Isn't this what you were just contradicting at the top? As for clamping down on crackers - it isn't that easy...
Good point

I just think that sometimes IT administrators put the emphasis in the wrong places (making things hard to remember) whilst not actually teaching people about the important bits of passwords. Why I couldn't say that in the first place I don't know!

With regard to your password, I agree, that is a quite a good one - but you know what makes a good password!

Thanks for explaining stuff well...
 
Old 02-05-2006, 05:21 PM   #5
ayteebee
Member
 
Registered: Jul 2005
Location: Derbyshire
Distribution: Originally Suse 9.1 Professional, currently Knoppix 3.7, migrating to Slackware
Posts: 75

Original Poster
Rep: Reputation: 16
Quote:
if someone breaks into your house a finds the post-it(tm)(r) note with "bank - kjn2323n432, email - 23ji34j" on it... so what?
I disagree. Identity theft is already quite common (if the banks are telling us correctly ). If this became a common way of storing your passwords, criminals could just hire pick-pockets or whatever to obtain your particular piece of paper that you kept in your wallets. And then we'd all be getting pick-pocketed all the time! Or maybe that's just paranoid. I dunno, I suppose you have to think paranoidly (??) where security is concerned.

Quote:
post-it(tm)(r)
Hehe, nice one!

EDIT: Also, if there was such a thing as an 'intelligent' criminal, they'd probably realise that "bank - kjn2323n432" could be quite useful...

Last edited by ayteebee; 02-05-2006 at 05:26 PM.
 
Old 02-05-2006, 06:29 PM   #6
jerril
Member
 
Registered: Nov 2005
Location: Ontario, Canada
Distribution: Linux Mint
Posts: 116

Rep: Reputation: 16
Strong should be memorised before you need them.

Hi All;

I used to find it difficult to remember strong passwords, but after getting things mixed up using "simpler" methods, I tried to develop a system. The key item I found was that I was practicing and memorizing the passwords at home; that made it easy to plug a new one in from memory.

Passwords are for more than just for work, so they are just a fact of life. Banking, email, forums like this... we use passwords everywhere.

There's my rant for the day

jer
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Wrong Passwords Crash X lasindi Fedora 1 08-04-2004 05:35 PM
USB 2.0 memory stick mount: wrong fs type, bad option, bad superblock on /dev/sda1, o olivier.riff Linux - Hardware 2 11-12-2003 09:11 AM
Id there anything wrong with putting the swapfile on the end of the drive ? lostboy Linux - General 3 05-19-2003 02:35 PM
end user passwords bear51 Linux - Newbie 0 05-22-2002 02:27 PM
How to log wrong passwords tyler_durden Linux - Security 3 02-05-2002 06:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration