[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] password mgmt

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] password mgmt
From: lazarusd@cardlink.com.au
Date: Wed, 01 Dec 1999 14:12:29 +1100

Hi all,
        I can not talk for Solaris but for NT passwords, I seem to remember
reading an article somewhere about it. With the hashing (was it the hasing
alog?? it was awhile ago so go easy!), NT splits passwords into 2 parts(ie, 1-7
chars in the first, 8-14 in the second). It turns out that is safer to use a
password on NT that is 7 or 10/over. But then again I read an article saying
that the US army was now using macs for all their web sites because they were
more secure than NT or unix???

   Regards,

  Damian.

-----Original Message-----
From: Tony Plastino <TonyP@freerange.com> 
Sent: Tuesday, 30 November 1999 6:15
To: "'Joe Matusiewicz '" <joem@nist.gov>; "'Jerald Josephs '"
<jjosephs@pacbell.net>; "'John Kirby '" <kirby_boy@hotmail.com>;
fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] password mgmt 



While more characters may seem to be better, it is not simply a function of
length.  Dictionary words, number sequences or simply adding digits to a
password doesn't introduce enough entropy to make much difference.

Given a password of 8 characters, if you use only alphabetic characters
(a-Z) then you have at most 
 30,342,338,208,000 combinations to bruteforce.
136,325,893,334,400  Adding digits

However, using a much wider set of printable characters (which make the
passwords easier to remember...) you can get close to...

426,381,220,616,000,000 or several orders of magnitude greater space to
bruteforce.

Realizing that many systems cannot use some of the printable characters in
passwords, (there really are only about 4 depending on shell type) one can
be very creative when creating the password, even with 8 characters.

Consider passwords such as:

{Th15_!}    ==> means  {this !}
|-|E(kn0    ==> means  heckno
:)-_-(:  that's not really really good as there are too many doubles but you
get the idea.

Passwords like these are easy to remember, not hard to construct and
basically impervious to dictionary attacks.  That is not to say that they
are uncrackable, just hard to crack with todays systems (But when quantum
computers become common place or affordable, then all bets will be off)

As to the management of passwords, considering that many of us are required
to have dozens if not hundreds or thousands of passwords, there comes a time
when a PalmX is not going to be efficient.

One way which does scale rather well is to use a spreadsheet, password
protected and PGP encrypted with the public keys of those who need to know
the passwords (and of course the corporate key).  The policies and politics
of the implementation I leave to the audience.

Tony Plastino
Luminant Worldwide

-----Original Message-----
From: Joe Matusiewicz
To: Jerald Josephs; Joe Matusiewicz; John Kirby;
fw-1-mailinglist@lists.us.checkpoint.com
Cc: Kirby_boy@hotmail.com
Sent: 11/30/99 6:08 AM
Subject: Re: [FW1] password mgmt


At 02:08 AM 11/30/99 -0800, Jerald Josephs wrote:
>But then, most of us sync our Pilots with our
>computer so we don't lose the data, so now you have
>your passwords in two locations
>
>I wonder what is considered to be a sufficiently long
>password these days?  I am up to a 15 character password
>that I can remember. If you have a sufficiently long enough password
>that is alpha-numeric, is it safe enough to use in more than one place?

The longer the better, but 15 is a lot better than 8 which is probably
is 
the bare minimal to use.  I tried building a dictionary file using
standard 
ascii characters so that I could try my hand at brute forcing and after
16 
hours the file was close to 2 gig and it had not completed the first 6 
character combinations.  I do worry about some Palm III sploit coming
out 
and getting at your synced files on the desktop. I have heard that there
is 
one that is a DOS on the Palm port.

-- Joe

-- Joe
  


========================================================================
========
     To unsubscribe from this mailing list, please see the instructions
at
               http://www.checkpoint.com/services/mailing.html
========================================================================
========


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================


**********************************************************************
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they   
are addressed. If you have received this email in error please notify 
the Postmaster.

This footnote also confirms that this email message has been swept by 
MIMEsweeper for the presence of computer viruses.

postmaster@cardlink.com.au
**********************************************************************


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: [FW1] securemote two way connections
Prev by thread: RE: [FW1] password mgmt
Next by thread: [FW1] NT Routing Question
Index(es):
- Date
- Thread