Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
02-05-2006, 04:47 PM
|
#1
|
Member
Registered: Jul 2005
Location: Derbyshire
Distribution: Originally Suse 9.1 Professional, currently Knoppix 3.7, migrating to Slackware
Posts: 75
Rep:
|
Wrong end of the stick with passwords?
I just want to point out something about passwords. If I'm completely wrong, please re-educate me, I'm only a noob!
Here are some recommended password selection guidelines:
- Your password must contain letters and numbers, preferably some different-caps letters, and be as random as possible (something like oFn643AKu would be good).
- Your password must contain at least six characters.
- Your password must be changed every few weeks.
I propose that these protocols are actually extremely bad for security.
How exactly, does a long, complicated password help? Asking somebody [remember, they're probably a non-geek] to remember a long and complicated password is naive. They're going to write it down. And stick it to the bottom of their keyboard. Where someone potentially malicious could quite easily get it. Kabam, security compromised. The thing is, making people change their passwords often will actually make them more likely to write it down, because they'll just not bother to learn it.
Having a complicated password will not even be much use against computer hacking programs - Assuming it uses a dictionary look-up system first to get the obvious words, having a random password will take it what? Two minutes to crack it instead of one? W00t. However, here is the only place where the minimum character limit is effective - as the possible number of combinations to be tried by a password-cracker increases with 62^n where n is the number of characters (on a case-sensitive system, 36 on a case-insensitive system). For example, a one-character password could need 62^1 = 62 attempts. A two character password could need 62^2 = 3844 attempts. Longer passwords are more secure in that respect, and that's only where the number of characters is specified.
However, what happens if someone just tells their password to anyone they meet? I suppose here, it's more secure if they DON'T know the password and DO just keep it under their keyboard!
I am currently at school, here are my experience:
Our password system has just changed (new IT staff). In the old system, your password had to be at least 6 characters, needed to be changed about every 4 weeks, and could not be the same as any of the previous 4 passwords or so. That was fine for me, because I have probably about 8 passwords or so that I use. One of my friends just rotated through the days of the week. How do I know? He told me.
The new system is pretty much the same except you can't use any of the previous 21 passwords. Yes, TWENTY ONE. Result? When I've cycled through all my passwords, I'll probably just start using password1, password2 etc until I get it. Good for security? No. I wonder how many other pupils have started doing exactly the same thing already? Some of them are only in year seven for crying out loud!
MY RECOMMENDATIONS:
Teach people about what passwords do and how to get a good password. Teach people about the importance of security and how they should not tell people about their passwords. Teach them that they should change their password if they tell anyone about it. Teach them not to write it down if possible. Clamp down on people who hack people's accounts or use them illicitly.
SO WHAT IS A GOOD PASSWORD?
- Something you can remember without writing it down.
- Something not in the dictionary, about you, or meaningful to everyone (dates like 1945 for example). These are the first things a password hacker will try.
- Preferably something alphanumeric (password hackers probably just try letters first as people probably have a tendency to not use numbers).
- For someone who's mildly interested in Land Rovers for example, Britpart42 would be a good password; They'd remember it (Britpart is the official Land Rover parts supplier and 42 is the answer to life, the universe and everything in a certain Douglas Adams book), and it would be almost impossible to hack, requiring up to 8.5 x 10^17 attempts on a case-insensitive system where the number of characters in the password is undefined (That's 62^10 + 62^9 + 62^8 + 62^7 + 62^6 + 62^5 + 62^4 + 62^3 + 62^2 + 62, in case you were wondering).
Does anyone else agree with me? Sorry this is such a long post!
|
|
|
02-05-2006, 05:01 PM
|
#2
|
Member
Registered: Nov 2004
Distribution: Slackware 11, Ubuntu 6.06 LTS
Posts: 700
Rep:
|
Quote:
Originally Posted by ayteebee
Having a complicated password will not even be much use against computer hacking programs - Assuming it uses a dictionary look-up system first to get the obvious words, having a random password will take it what? Two minutes to crack it instead of one?
|
Wrong - dictionary attacks would not be able to discover a complex password. And, as you mention below - it would take a lot of time and one heck of a lot of processing power to brute-force it. So, do I think a long and complicated password is good? Yes.
Quote:
However, what happens if someone just tells their password to anyone they meet? I suppose here, it's more secure if they DON'T know the password and DO just keep it under their keyboard!
|
Then that's their fault, isn't it? Or am I missing something...
Quote:
MY RECOMMENDATIONS:
Teach people about what passwords do and how to get a good password. Teach people about the importance of security and how they should not tell people about their passwords. Teach them that they should change their password if they tell anyone about it. Teach them not to write it down if possible. Clamp down on people who hack people's accounts or use them illicitly.
|
Good password? Fairly long, alphanumeric, different cases. Not to tell people what they are. Not to write them down. Isn't this what you were just contradicting at the top? As for clamping down on crackers - it isn't that easy...
Quote:
SO WHAT IS A GOOD PASSWORD?
- Something you can remember without writing it down.
- Something not in the dictionary, about you, or meaningful to everyone (dates like 1945 for example). These are the first things a password hacker will try.
- Preferably something alphanumeric (password hackers probably just try letters first as people probably have a tendency to not use numbers).
- For someone who's mildly interested in Land Rovers for example, Britpart42 would be a good password; They'd remember it (Britpart is the official Land Rover parts supplier and 42 is the answer to life, the universe and everything in a certain Douglas Adams book), and it would be almost impossible to hack, requiring up to 8.5 x 10^17 attempts on a case-insensitive system where the number of characters in the password is undefined (That's 62^10 + 62^9 + 62^8 + 62^7 + 62^6 + 62^5 + 62^4 + 62^3 + 62^2 + 62, in case you were wondering).
|
While a random password is advised, it doesn't have to be random - for example, if my name was Richard and I was born in 1986 then ChardRi8619 would be a great password (notice the reversal?).
I'm not trying to attack you, I'm just saying that the recommended method is not recommended for the wrong reasons
Cheers,
-jk
Last edited by J_K9; 02-05-2006 at 05:02 PM.
|
|
|
02-05-2006, 05:07 PM
|
#3
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
there was something on el reg i think recently suggesting pretty much the opposite of what you're suggesting. it was suggested by a cryptographer that you should literally use a meaningless password, full of all sorts of nasty junk. use a different one in every instance. But the point was that you *could* just write them down. what's more secure - 1) remembering simpler passwords or 2) not remembering very complex ones and recording them in a secure place? if someone breaks into your house a finds the post-it(tm)(r) note with "bank - kjn2323n432, email - 23ji34j" on it... so what? it's not like it even says barclays.com... it says "bank". well, that was one expert theory, kinda like one time two factor passwords wihtout the one time part.
|
|
|
02-05-2006, 05:15 PM
|
#4
|
Member
Registered: Jul 2005
Location: Derbyshire
Distribution: Originally Suse 9.1 Professional, currently Knoppix 3.7, migrating to Slackware
Posts: 75
Original Poster
Rep:
|
Quote:
Good password? Fairly long, alphanumeric, different cases. Not to tell people what they are. Not to write them down. Isn't this what you were just contradicting at the top? As for clamping down on crackers - it isn't that easy...
|
Good point
I just think that sometimes IT administrators put the emphasis in the wrong places (making things hard to remember) whilst not actually teaching people about the important bits of passwords. Why I couldn't say that in the first place I don't know!
With regard to your password, I agree, that is a quite a good one - but you know what makes a good password!
Thanks for explaining stuff well...
|
|
|
02-05-2006, 05:21 PM
|
#5
|
Member
Registered: Jul 2005
Location: Derbyshire
Distribution: Originally Suse 9.1 Professional, currently Knoppix 3.7, migrating to Slackware
Posts: 75
Original Poster
Rep:
|
Quote:
if someone breaks into your house a finds the post-it(tm)(r) note with "bank - kjn2323n432, email - 23ji34j" on it... so what?
|
I disagree. Identity theft is already quite common (if the banks are telling us correctly  ). If this became a common way of storing your passwords, criminals could just hire pick-pockets or whatever to obtain your particular piece of paper that you kept in your wallets. And then we'd all be getting pick-pocketed all the time! Or maybe that's just paranoid. I dunno, I suppose you have to think paranoidly (??) where security is concerned.
Hehe, nice one!
EDIT: Also, if there was such a thing as an 'intelligent' criminal, they'd probably realise that "bank - kjn2323n432" could be quite useful...
Last edited by ayteebee; 02-05-2006 at 05:26 PM.
|
|
|
02-05-2006, 06:29 PM
|
#6
|
Member
Registered: Nov 2005
Location: Ontario, Canada
Distribution: Linux Mint
Posts: 116
Rep:
|
Strong should be memorised before you need them.
Hi All;
I used to find it difficult to remember strong passwords, but after getting things mixed up using "simpler" methods, I tried to develop a system. The key item I found was that I was practicing and memorizing the passwords at home; that made it easy to plug a new one in from memory.
Passwords are for more than just for work, so they are just a fact of life. Banking, email, forums like this... we use passwords everywhere.
There's my rant for the day
jer
|
|
|
All times are GMT -5. The time now is 06:48 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|