[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] password mgmt
[ The following text is in the "windows-1252" character set. ]
[ Your display is set for the "US-ASCII" character set. Some ]
[ characters may be displayed incorrectly. ]
While more characters may seem to be better, it is not simply a function of
length. Dictionary words, number sequences or simply adding digits to a
password doesn't introduce enough entropy to make much difference.
Given a password of 8 characters, if you use only alphabetic characters
(a-Z) then you have at most
30,342,338,208,000 combinations to bruteforce.
136,325,893,334,400 Adding digits
However, using a much wider set of printable characters (which make the
passwords easier to remember...) you can get close to...
426,381,220,616,000,000 or several orders of magnitude greater space to
bruteforce.
Realizing that many systems cannot use some of the printable characters in
passwords, (there really are only about 4 depending on shell type) one can
be very creative when creating the password, even with 8 characters.
Consider passwords such as:
{Th15_!} ==> means {this !}
|-|E(kn0 ==> means heckno
:)-_-(: that's not really really good as there are too many doubles but you
get the idea.
Passwords like these are easy to remember, not hard to construct and
basically impervious to dictionary attacks. That is not to say that they
are uncrackable, just hard to crack with todays systems (But when quantum
computers become common place or affordable, then all bets will be off)
As to the management of passwords, considering that many of us are required
to have dozens if not hundreds or thousands of passwords, there comes a time
when a PalmX is not going to be efficient.
One way which does scale rather well is to use a spreadsheet, password
protected and PGP encrypted with the public keys of those who need to know
the passwords (and of course the corporate key). The policies and politics
of the implementation I leave to the audience.
Tony Plastino
Luminant Worldwide
-----Original Message-----
From: Joe Matusiewicz
To: Jerald Josephs; Joe Matusiewicz; John Kirby;
fw-1-mailinglist@lists.us.checkpoint.com
Cc: Kirby_boy@hotmail.com
Sent: 11/30/99 6:08 AM
Subject: Re: [FW1] password mgmt
At 02:08 AM 11/30/99 -0800, Jerald Josephs wrote:
>But then, most of us sync our Pilots with our
>computer so we don't lose the data, so now you have
>your passwords in two locations
>
>I wonder what is considered to be a sufficiently long
>password these days? I am up to a 15 character password
>that I can remember. If you have a sufficiently long enough password
>that is alpha-numeric, is it safe enough to use in more than one place?
The longer the better, but 15 is a lot better than 8 which is probably
is
the bare minimal to use. I tried building a dictionary file using
standard
ascii characters so that I could try my hand at brute forcing and after
16
hours the file was close to 2 gig and it had not completed the first 6
character combinations. I do worry about some Palm III sploit coming
out
and getting at your synced files on the desktop. I have heard that there
is
one that is a DOS on the Palm port.
-- Joe
-- Joe
========================================================================
========
To unsubscribe from this mailing list, please see the instructions
at
http://www.checkpoint.com/services/mailing.html
========================================================================
========
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================