[unisog] [Fwd: Is the current password std flawed?]

PaulFM paulfm at me.umn.edu
Fri Feb 25 14:29:45 GMT 2005

Requiring differing case characters makes it easier for people to see the 
password typed over your shoulder (the shift key makes most people pause) so 
I would not make that requirement.  Perhaps suggesting that people use a made 
up nonsense phrase with some punctuation and digits thrown in would be a good 
idea.  Requirements that the password have at least 2 characters from each of 
any two of the following classes: any alpha, Numbers, Special_characters ( 
"what-the.", "01topmee" "what0the." and "87)015.1" would be allowed, 
"00topmee" would not); and a length of 8 should be sufficient to prevent 
people from using dumb passwords (of course increasing the minimum length 
wouldn't hurt).

T. Charles Yun wrote:
> A while ago, I was doing some work on entropy in text that used a perl 
> script found online based on Claude Shannon's work.  Shannon determined 
> a (set of) formulas and processes that allowed for the analysis of 
> entropy in the english language.
> If you are interested in a mor thorough mathematical analysis, I suspect 
> that google can help with terms such as "Shannon entroy password perl" etc.
> - Charles
> Harry Hoffman wrote:
>> Russell,
>> We are having a similar discussion regarding the programs that 
>> auto-generate easily typed passwords and whether or not it would be 
>> easier to brute force those passwords based upon key locations and how 
>> most people type.
>> I'm interested to see what you come up with. Are you planning on doing 
>> any tests to verify this?
>> --Harry
>> Russell Fulton wrote:
>>> Hmmm.... fro  my manager.  What do you think?
>>> I'll post my ideas on this tomorrow.
>>> Russell
>>> -------- Forwarded Message --------
>>> From: Stephen Taylor (ITSS) <stay091 at vxchange.vcr.auckland.ac.nz>
>>> To: Russell Fulton <rful011 at vxchange.vcr.auckland.ac.nz>, Bojan Zdrnja
>>> <b.zdrnja at auckland.ac.nz>
>>> Subject: Is the current password std flawed?
>>> Date: Fri, 25 Feb 2005 13:42:51 +1300
>>> As part of my discussion with CS re NetAccount v 2 enhancements we
>>> looked at the UoA Password Std.
>>> The following comments were made by CS.
>>> By asking that all passwords must have a numeric and a special character
>>> we are making it easier for cracking tools because we have effectively
>>> reduced the "pool" of possible password combinations; e.g. no need to
>>> check for a password such as "gHsrYBoZ" as this would be rejected as not
>>> valid.
>>> Similarly by not allowing all numerics such as "33892536".
>> ...
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list