[Dshield] Password Strength

Tony Earnshaw tonye at billy.demon.nl
Tue Oct 19 17:46:18 GMT 2004


tir, 19.10.2004 kl. 12.54 skrev Jorge Fernandes:

> Thank you John and Chris. Your messages were very helpful. After I
> read the article I was ready to move from passwords to pass-phrases
> but I still wanted opinions of the members of this list. It's a pity
> that some software products still limit the size of passwords to a
> relatively small amount of characters. And I'm thinking of important
> stuff like online banking... :-(

Have a look at apg (http://www.adel.nursat.kz/apg/) if you want to keep
to passwords. It does me great ;)

The thing is, I have to use awk/shell scripts for generating *many
hundreds* of (in my case Openldap) user accounts at a time,
automatically. I can give them pronounceable, rememberable min. length,
special-character passwords with apg, but no way can I generate many
hundreds of password phrases.

Take into consideration, that recent studies have shown that a
determined cracker can crack any pronounceable password of any length
within minutes, given today's computing power. So for system accounts
such as root, one would not use such passwords - 'man apg' ought to show
you how to generate uncrackable root and wheel (f.ex.) passwords. Nor
can you force pam to accept phrases rather than passwords, just to give
one example of a rigeur for password enforcement), so there's a limit to
what is acceptable in practice. Bottom line is: "It Works For Me, but
let the buyer beware", aka "YMMV".

--Tonni

-- 
«Livet er ein gamp», sa øyken.
I can confirm this.
 
mail: tonye at billy.demon.nl
http://www.billy.demon.nl
 
They love us, don't they, They feed us, won't they ...





More information about the list mailing list