[unisog] [Fwd: Is the current password std flawed?]

PaulFM paulfm at me.umn.edu
Fri Feb 25 14:29:45 GMT 2005


Requiring differing case characters makes it easier for people to see the 
password typed over your shoulder (the shift key makes most people pause) so 
I would not make that requirement.  Perhaps suggesting that people use a made 
up nonsense phrase with some punctuation and digits thrown in would be a good 
idea.  Requirements that the password have at least 2 characters from each of 
any two of the following classes: any alpha, Numbers, Special_characters ( 
"what-the.", "01topmee" "what0the." and "87)015.1" would be allowed, 
"00topmee" would not); and a length of 8 should be sufficient to prevent 
people from using dumb passwords (of course increasing the minimum length 
wouldn't hurt).


T. Charles Yun wrote:
> A while ago, I was doing some work on entropy in text that used a perl 
> script found online based on Claude Shannon's work.  Shannon determined 
> a (set of) formulas and processes that allowed for the analysis of 
> entropy in the english language.
> 
> If you are interested in a mor thorough mathematical analysis, I suspect 
> that google can help with terms such as "Shannon entroy password perl" etc.
> 
> - Charles
> 
> Harry Hoffman wrote:
> 
>> Russell,
>>
>> We are having a similar discussion regarding the programs that 
>> auto-generate easily typed passwords and whether or not it would be 
>> easier to brute force those passwords based upon key locations and how 
>> most people type.
>>
>> I'm interested to see what you come up with. Are you planning on doing 
>> any tests to verify this?
>>
>>
>> --Harry
>>
>>
>> Russell Fulton wrote:
>>
>>> Hmmm.... fro  my manager.  What do you think?
>>>
>>> I'll post my ideas on this tomorrow.
>>>
>>> Russell
>>>
>>> -------- Forwarded Message --------
>>> From: Stephen Taylor (ITSS) <stay091 at vxchange.vcr.auckland.ac.nz>
>>> To: Russell Fulton <rful011 at vxchange.vcr.auckland.ac.nz>, Bojan Zdrnja
>>> <b.zdrnja at auckland.ac.nz>
>>> Subject: Is the current password std flawed?
>>> Date: Fri, 25 Feb 2005 13:42:51 +1300
>>> As part of my discussion with CS re NetAccount v 2 enhancements we
>>> looked at the UoA Password Std.
>>>
>>> The following comments were made by CS.
>>>
>>> By asking that all passwords must have a numeric and a special character
>>> we are making it easier for cracking tools because we have effectively
>>> reduced the "pool" of possible password combinations; e.g. no need to
>>> check for a password such as "gHsrYBoZ" as this would be rejected as not
>>> valid.
>>>
>>> Similarly by not allowing all numerics such as "33892536".
>>>
>> ...
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/unisog
>>
>>
> 

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------



More information about the unisog mailing list