[I] Pronounceable Passwords
PeterH
searches through your computer's dictionary and spits out common
letter combinations. You then randomly put them back together and
voila! Passwords that you can actually say.
A few test runs, generating sixteen-letter "passwords", produced these
gems:
scatialdriespett
serievidaternals
deogypreventhect
teditingstrindee
literinfultantyp
ishighwagenestab
inglusectalition
mescurnessessest
phabletaxingstat
ionglavescenters
ookedachuttedepl
almeningandhemeo
oticrionicaticom
tiereignefanholu
ecellytoomforena
Geeks had better go here:
http://www.multicians.org/thvv/tvvtools.html#gpw
--
PeterH
www.blurty.com/users/peterhjr
Lodestone
news:7729e40e.0305...@posting.google.com...
> Found this wonderful algorithm (which I had trouble spelling) that
> searches through your computer's dictionary and spits out common
> letter combinations. You then randomly put them back together and
> voila! Passwords that you can actually say.
Brilliant! They're always easier to remember that way.
I think...
> teditingstrindee
...is the winner. With slight modification to "Teddington Strindee" it could
easily be a small English town :-D
--
Lodestone
Love, Music, Wine and Revolution
http://www11.brinkster.com/lodestone/chocolatelightbulb.htm
Torak
> Found this wonderful algorithm (which I had trouble spelling) that
> searches through your computer's dictionary and spits out common
> letter combinations. You then randomly put them back together and
> voila! Passwords that you can actually say.
>
> A few test runs, generating sixteen-letter "passwords", produced these
> gems:
I think, if it's OK by you, I shall nick that list and use it for names in
RPGs, stories, and the like. Some rather Dickensian ones there, I reckon.
Gideon Hallett
> Found this wonderful algorithm (which I had trouble spelling) that
> searches through your computer's dictionary and spits out common
> letter combinations. You then randomly put them back together and
> voila! Passwords that you can actually say.
>
> A few test runs, generating sixteen-letter "passwords", produced
> these gems:
>
<snip>
> Geeks had better go here:
> http://www.multicians.org/thvv/tvvtools.html#gpw
All well and good, but I can think of a couple of big (and two
smaller) question marks hanging over this method.
Firstly, it's taken from a natural language dictionary. Surely that
means that (at a guess) the distribution of letters in a password
is going to follow (to whatever extent) the matching distribution.
The insertion of the salt (the random numbers) helps to complicate
any attempt to brute-force the password, but it isn't truly random.
In fact, I'm curious. Let's do a quick frequency distribution on the
sampled passwords.
A 18
B 2
C 10
D 8
E 37
F 3
G 9
H 7
I 23
J 0
K 1
L 13
M 5
N 19
O 13
P 5
Q 0
R 11
S 17
T 26
U 5
V 4
W 1
X 1
Y 3
Z 0
= 241 letters (off by one, due to it being quite late)
Now, our sample is fairly small; yet it has a recognisably English
fingerprint (albeit slightly fudged in places due to the small
sample)
Compare the above frequency distribution with
http://www.csm.astate.edu/~rossa/datasec/frequency.html
You can see that E is by far the most common letter; and that the
RST block follows the 'proper' frequency order (T>S>R). Similarly,
the commonly-used vowels are more frequent than all but the most
commonly-used consonants. If you know the most commonly-used
consonants and vowels, then you have 6-8 of the 24 letters of the
key cracked fairly simply, just by their relative frequency.
(Similar methods apply for other countries. A wouldbe spook could,
for example, intercept a packet by means of a sniffer, traceroute
to the source and destination IP addresses to determine the likely
language, nmap the IP addresses to fingerprint the operating
systems, and have a go at using known algorithms on that OS. It's
still not a simple job, but it's far easier than shooting totally
blind.)
Secondly, the examples you cited have recognisable fragments of
words in them - 'dries', 'prevent', 'editing', 'taxing' - surely a
dictionary attack is going to find these passwords *easier* to
break than a truly random string?
As Kerckhoff's Law mentions[1], you can't rely on an algorithm to
keep a code secret; it has to rely on the safety of the key.
The minor thoughts...
Firstly, if you use a single algorithm to generate a password, then
you are generating something with a *consistent* and repeated level
of randomness. Anything that renders the output of the key
according to a fixed routine is a weakness, even if not a major
one.
Secondly, if the dictionary used is purely text, it does not include
any numbers or ASCII characters; thus cutting down the number of
possible combinations in the password - and many of the common
dictionary attacks pay little heed to non-alphanumeric characters.
As has been said elsewhere, the best passwords look like line
noise.
Of course, there are some things to be said in defence of the above
method. It's better than letting people choosing their own
passwords *unless* they're trained at choosing good ones[2].
The above frequency distribution is based on a couple of hundred
letters. Most passwords aren't a twentieth of that length; and
assembling a reasonable distribution would involve intercepting a
fair number of session passwords. It's not easy, and there are
generally other means of gaining entry to a box (buffer overflows,
open ports, unset passwords, social engineering). But, given time,
it should work.
Gideon.
(speaking here as an interested amateur; anyone who has better
information is welcome to correct me on anything I've got wrong.)
[1] "It must not be required to be secret, and it must be able to
fall into the hands of the enemy without inconvenience"
[2] Note for the cerebrally-challenged - if trying to choose an
admin password for your Win2k server which is 'out there' on the
'net and not firewalled, do NOT choose 'matrix' as a password
unless you want the box to be 0wn3d in double-quick time.
(A significant part of my working life is spent wincing at peoples'
choice of server admin passwords.)
--
(((( | ====diog...@freeuk.com.=========================|
o__))))) | - Bringing permed '70s-retro hedgehogs to the =|
__ \'((((( | common people since he got bored one afternoon. =|
Torak
Torak
[absolutely nothing]
BUGGER!
I meant to comment that if you're into this sort of thing, have a look at
Uplink at http://www.introversion.co.uk/ - good fun.
Matt
> "PeterH" <pete...@yahoo.co.uk> wrote in message
> news:7729e40e.0305...@posting.google.com...
>> Found this wonderful algorithm (which I had trouble spelling) that
>> searches through your computer's dictionary and spits out common
>> letter combinations. You then randomly put them back together and
>> voila! Passwords that you can actually say.
>
> Brilliant! They're always easier to remember that way.
> I think...
>
>> teditingstrindee
>
> ...is the winner. With slight modification to "Teddington Strindee"
> it could easily be a small English town :-D
Well we know your password.
Lodestone, what's your username?
--
Matt
Suzi
Lodestone <lode...@microsoft.com> wibbled...
> "PeterH" <pete...@yahoo.co.uk> wrote in message
> news:7729e40e.0305...@posting.google.com...
[Snip]
> > teditingstrindee
>
> ...is the winner. With slight modification to "Teddington Strindee" it could
> easily be a small English town :-D
Seems like a good place to pop this one...
...we regularly pass a couple of places on the Welsh/English border
which sound like they really belong in XXXX, these being "Ganerew" and
"Crockers Ash". Are there other "out of place" town names around that
seem to have been transported that people have spotted?
Suzi
Nick Johnson
>
> ...we regularly pass a couple of places on the Welsh/English border
> which sound like they really belong in XXXX, these being "Ganerew" and
> "Crockers Ash". Are there other "out of place" town names around that
> seem to have been transported that people have spotted?
>
> Suzi
Yup, New Zealand. We should be part of holland, not SE of Australia ;)
John Wilkins
You mean SE of New Holland :-)
--
John Wilkins
B'dies, Brutius
PeterH
> PeterH wrote:
>
> > Found this wonderful algorithm (which I had trouble spelling) that
> > searches through your computer's dictionary and spits out common
> > letter combinations. You then randomly put them back together and
> > voila! Passwords that you can actually say.
> >
> > A few test runs, generating sixteen-letter "passwords", produced
> > these gems:
> >
> <snip>
>
> > Geeks had better go here:
> > http://www.multicians.org/thvv/tvvtools.html#gpw
>
> All well and good, but I can think of a couple of big (and two
> smaller) question marks hanging over this method.
Well, I'm going back to Uni to study computer security in July, so
this should be a good warming-up exercise :)
> Firstly, it's taken from a natural language dictionary. Surely that
> means that (at a guess) the distribution of letters in a password
> is going to follow (to whatever extent) the matching distribution.
> The insertion of the salt (the random numbers) helps to complicate
> any attempt to brute-force the password, but it isn't truly random.
Of course not, but that is rather the point. I started looking for
this algorithm in the first place because our company allocates
subscriber passwords simply by lumping together a bunch of upper- and
lowercase letters and numbers. Clients then receive ludicrousy
complicated passwords like "H7Gcdx4Lf" which they then have to
remember. Of course they're not going to remember something like that,
they're going to write it down - which is not a very clever thing to
do.
It could be successfully argued that a password like that is virtually
impossible to crack. On the other hand, however difficult a password
may be to crack computationally (er...), its security is heavily
compromised if random people can simply read it off a piece of paper
on your desk.
>
[schnippage regarding letter frequencies]
The "source" dictionary was the file /usr/share/dict/linux.words (I'm
using Redhat Linux 9 for those who care) which is about 400Kb in size
and includes words and common names. Allegedly. (The first five words
are Aarhus, Aaron, Ababa, aback and abaft.) And, American spelling is
favoured, which might throw things off a tad (less u's, more z's etc).
However, most passwords are only six to eight characters long, which
is not even nearly enough to use letter frequency as a cracking
strategy. The passwords would be *easier* to crack using letter
combination frequency as the strategy, but again, there just aren't
enough letters in the passwords for that to be viable either.
>
> Secondly, the examples you cited have recognisable fragments of
> words in them - 'dries', 'prevent', 'editing', 'taxing' - surely a
> dictionary attack is going to find these passwords *easier* to
> break than a truly random string?
No. The password encryption algorithm of choice these days is MD5,
which works one way only[1]. You give the algorithm any string up to
128 characters long, and it spits out a unique MD5 hash. It takes such
a long time to get the password back out of the encrypted hash that
99.99999999% of the time there's no point in even trying. Also, you
can't find the MD5 hashes for 'un', 'avoid' and 'able', stick them
together and get the MD5 hash for 'unavoidable'. A dictionary attack
therefore won't help either, as these passwords don't appear in their
entirety in the dictionary. Very occasionally the password generating
algorithm will spit out a dictionary word, but obviously you wouldn't
use that as a password.
[schnip]
>
> Firstly, if you use a single algorithm to generate a password, then
> you are generating something with a *consistent* and repeated level
> of randomness. Anything that renders the output of the key
> according to a fixed routine is a weakness, even if not a major
> one.
Quite right. And that really is the only weakness that I can see in
the system. But it can be offset by altering the passwords -
capitalising the beginnings of "recognisable" word fragments, for
example, or adding a few numbers and punctuation marks.
> Secondly, if the dictionary used is purely text, it does not include
> any numbers or ASCII characters; thus cutting down the number of
> possible combinations in the password - and many of the common
> dictionary attacks pay little heed to non-alphanumeric characters.
> As has been said elsewhere, the best passwords look like line
> noise.
See my argument against that above.
--
PeterH
www.blurty.com/users/peterhjr
[1] Apologies to those who already know about this sort of thing.
Jeremy C B Nicoll
PeterH <pete...@yahoo.co.uk> wrote:
> Gideon Hallett <diog...@freeuk.com> wrote in message news:<bb0moi$lt9$1...@library.lspace.org>...
> > PeterH wrote:
> >
> > > Found this wonderful algorithm (which I had trouble spelling) that
> > > searches through your computer's dictionary and spits out common
> > > letter combinations. You then randomly put them back together and
> > > voila! Passwords that you can actually say.
Bad. Passwords like that are guessable by programs that use
dictionaries to provide a list of guessable values.
Better is a generating passwords as something like:
<consonant><vowel><consonant><vowel><consonant><digit><digit><digit>
It's always fairly pronounceable and it isn't ever actually a word.
--
Jeremy C B Nicoll - my opinions are my own.
Peter Ellis
>
>Generally I use the rule of thumb that says if you can remember your
>password in a simpler fashion than remembering the password itself, then
>chances are it's a bad one (i.e. it has redundancy).
Useful rule of thumb, but breaks somewhat when you consider that what a
human brain may find "simple" doesn't necessarily correspond to
computational simplicity.
For example, I tend to generate passwords by taking random stretches of
song lyrics (and not usually English), and making an acrostic complete
with relevant punctuation. Mixes alpha- and non-alpha characters, both
cases, and buggers up any attack based on letter frequency, since the
frequencies for letters at the *start* of words certainly doesn't match
the frequencies for bulk text.
You get something that's easy as pie to remember on my part, but I'd defy
any attacker to discover, say, the password Ns'iw,wsdF without some serious
knowledge of my taste in music.
(Bonus question: Identify the song and win a pint)
Peter
sjb351
> Found this wonderful algorithm (which I had trouble spelling) that
> searches through your computer's dictionary and spits out common
> letter combinations. You then randomly put them back together and
> voila! Passwords that you can actually say.
>
> A few test runs, generating sixteen-letter "passwords", produced these
> gems:
>
> Geeks had better go here:
> http://www.multicians.org/thvv/tvvtools.html#gpw
Pronouncable? Your tongue must work a bit better than mine.
--
_____________________
Stupidity = Naivety x Time
Bruce Murphy
> No. The password encryption algorithm of choice these days is MD5,
> which works one way only[1]. You give the algorithm any string up to
> 128 characters long, and it spits out a unique MD5 hash. It takes such
> a long time to get the password back out of the encrypted hash that
> 99.99999999% of the time there's no point in even trying. Also, you
> can't find the MD5 hashes for 'un', 'avoid' and 'able', stick them
> together and get the MD5 hash for 'unavoidable'. A dictionary attack
> therefore won't help either, as these passwords don't appear in their
> entirety in the dictionary. Very occasionally the password generating
> algorithm will spit out a dictionary word, but obviously you wouldn't
> use that as a password.
However, many places are forced to use DES(crypt) passwords becuase
they require various amounts of backwards compatibility.
In 1997 I could use a fast (at the time) alpha to brute force *every
possible* lower-case only password of 1-8 chars in length in just
over 24 hours (For a single seed). That was a long time ago.
If I can reduce a short password to a set of very commonly adjacent
letters then I can do a hell of a lot better.
B>
Torak
>
> Of course not, but that is rather the point. I started looking for
> this algorithm in the first place because our company allocates
> subscriber passwords simply by lumping together a bunch of upper- and
> lowercase letters and numbers. Clients then receive ludicrousy
> complicated passwords like "H7Gcdx4Lf" which they then have to
> remember. Of course they're not going to remember something like that,
> they're going to write it down - which is not a very clever thing to
> do.
I've got a complicated password like that. Oddly enough, I have no trouble
remembering it. It just sort of worked its way into my brain after a few
months.
Orjan Westin
news:bb2666$hnk$1...@sirius.dur.ac.uk...
> PeterH wrote:
> >
> > complicated passwords like "H7Gcdx4Lf" which they then have to
> > remember.
>
> remembering it. It just sort of worked its way into my brain after a few
> months.
That's irony, right? If it isn't, I take it you're not familiar with the
old recommendation to change password at least once a month.
Orjan
Bruce Murphy
A poor recommendation. Passwords should be changed based on how
important they are, and how often they are used. *really really*
important passwords, might get changed once per use :)
B>
Torak
>>>
>>> complicated passwords like "H7Gcdx4Lf" which they then have to
>>> remember.
>>
>> I've got a complicated password like that. Oddly enough, I have no
>> trouble remembering it. It just sort of worked its way into my brain
>> after a few months.
>
> That's irony, right? If it isn't, I take it you're not familiar with the
> old recommendation to change password at least once a month.
I am familiar with it, and I don't bother. There's no point - nobody gets
told my password, and a competent hacker will get in sooner or later anyway.
Besides, there's nothing to hide on any of my accounts.
If others feel like taking the bother to change half a dozen passwords every
month, that's their choice. I couldn't care less about it, though.
Gideon Hallett
news:bb26ae$4pu9f$1...@ID-90122.news.dfncis.de:
Or whenever someone leaves, moves sideways or up, or there's a full
moon, an 'r' in the month, a 'y' in the day or the promise of
changeable weather at some point.
IMO, the problem with any password-creating algorithm is that it's
trying to correct a user problem - poor password discipline.
It's not the easiest skill, but I'm not especially smart, and can
remember 10-15 'real' passwords properly; it's a learnable habit.
Mind you, one of the neatest 'bad' passwords I ever saw was
attached to someone's monitor - it was the last 8 characters of the
monitor's serial number ('/W5C/128').
Gideon.
Sanity
Gideon Hallett <diog...@freeuk.com> wrote:
> Mind you, one of the neatest 'bad' passwords I ever saw was
> attached to someone's monitor - it was the last 8 characters of the
> monitor's serial number ('/W5C/128').
Hmmm, I think I'll change all my passwords to 'iMac' ;-)
As for password discipline, I admit to being bad-ish. I don't change
my passwords every month. And I try to have as few different passwords
as possible. Because I forget them, especially when they're not often
used. I have been unable to access my uni account due to changing
password and forgetting it. [1]
I do remember my own server passwords because I log in regularly. But
for other things I tend to mix up the different passwords, and it may
take days before I remember what else it could have been.
TTFN,
Michel AKA Sanity
[1] The worst thing was, it was my gf's name...I used her name because
I thought it would be easy, but it wasn't, because she'd never
been my password before and I hadn't logged in for a while.
--
"Sanity shall make ye -ing fret": | "A cat has 40 million hairs: 5
www.affordable-prawns.co.uk | million on its back, 10 million on
www.affordable-hedgehogs.co.uk | its belly, and 25 million on your
Check the AFPChess Tournament! | couch." --Midas Dekkers
Jeremy C B Nicoll
Murk <mu...@lspace.org> wrote:
> Jeremy C B Nicoll <Jer...@omba.demon.co.uk> wrote:
> > Better is a generating passwords as something like:
> >
> > <consonant><vowel><consonant><vowel><consonant><digit><digit><digit>
> >
> > It's always fairly pronounceable and it isn't ever actually a word.
> money123 would be got by a dictionary attack.
Aye, I know, but eventually any random collection of digits & letters
is susceptible to automated cracking too. The best defence is for the
system being approached to reject attempts for a specific pre-defined
userid, after 2 or 3 failures.
Jeremy C B Nicoll
<Pine.SOL.4.44.03052...@green.csi.cam.ac.uk>,
Peter Ellis <pj...@cam.ac.uk> wrote:
> (Bonus question: Identify the song and win a pint)
How will the pint be delivered?
Jeremy C B Nicoll
> Mind you, one of the neatest 'bad' passwords I ever saw was
> attached to someone's monitor - it was the last 8 characters of the
> monitor's serial number ('/W5C/128').
But really that's using the password algorithm method - the computer
asks a question, and you supply the answer based on knowing what's
being asked, if you see what I mean... Some sort of mental arithmetic
or something?
Jeremy C B Nicoll
Sanity <sanityDE...@affordable-hedgehogs.co.uk> wrote:
> Because I forget them, especially when they're not often used.
I used to have a set of passwords that I'd change on all systems on the
same day. If for some reason a system was down and so its password
couldn't be changed I found that subsequently I could remember the new
set of passwords, but none of the old ones, so always needed someone to
reset the password on whatever system I hadn't been on.
Another type of password I quite liked was delibaretely misspelled
words. Quite good if someone sees a few of the letters as you type
(and that's not always possible to prevent eg a teacher having to type
a value on a pupil's keyboard) they can get an idea of what the
password is.
Eric Jarvis
> >
> > <consonant><vowel><consonant><vowel><consonant><digit><digit><digit>
> >
> > It's always fairly pronounceable and it isn't ever actually a word.
>
>
> single algorithm is a good one.
>
> Generally I use the rule of thumb that says if you can remember your
> password in a simpler fashion than remembering the password itself, then
> chances are it's a bad one (i.e. it has redundancy).
>
how would the pronounceable passwords work if random
letters had a "number substitution"?...one of the
techniques I've encountered is taking words chosen by the
user and then substituting "0" foe "o", "4" for "a"
etc...it gives an easily memorable password that is a mix
of letters and numbers...but I've no idea how easy it
would be to crack
I prefer genuinely random alphanumerics myself...but I
have the sort of memory that copes with them, not
everyone can
--
eric - afprelationships in headers
www.ericjarvis.co.uk
"Hey Lord don't ask me questions
There ain't no answer in me"
MP
<diog...@freeuk.com> wrote:
>PeterH wrote:
>
>> Found this wonderful algorithm (which I had trouble spelling) that
>> searches through your computer's dictionary and spits out common
>> letter combinations. You then randomly put them back together and
>> voila! Passwords that you can actually say.
>>
>> A few test runs, generating sixteen-letter "passwords", produced
>> these gems:
>>
><snip>
>
>> Geeks had better go here:
>> http://www.multicians.org/thvv/tvvtools.html#gpw
>
>All well and good, but I can think of a couple of big (and two
>smaller) question marks hanging over this method.
>
>Firstly, it's taken from a natural language dictionary. Surely that
>means that (at a guess) the distribution of letters in a password
>is going to follow (to whatever extent) the matching distribution.
>The insertion of the salt (the random numbers) helps to complicate
>any attempt to brute-force the password, but it isn't truly random.
Fair point, but probably not that important. It would be important if
you were trying to cryptanalyse a cipher, but most passwords are
one-way encoded nowadays, so you'd have to brute force check all
possible combinations. Even if you say that only 6 letters are
possible from an alphabet of say 80 characters (52 letters allowing
case sensitivity, 10 digits, about 30 other probably valid characters,
so I'm erring on lower end here), that is a code space of 262144000000
passwords, allowing repetitions.
MD5 converts passwords using a one-way hash system to a 128-bit
fingerprint, which is easy to compute, but, technically speaking, a
bugger to undo. Also, because it doesn't care how big the original
input is (MD5 was actually designed as a verification system, like
Cyclic Redundancy Checks or Checksums), the output length doesn't give
any clue to this rule (although you shouldn't need to keep this
secret). Still, that means you need to check 262144000000*128 bits of
data. That is ~2,560,000 Gb of data, to check just all possible 6
letter passwords...
>In fact, I'm curious. Let's do a quick frequency distribution on the
>sampled passwords.
<snip table>
>Now, our sample is fairly small; yet it has a recognisably English
>fingerprint (albeit slightly fudged in places due to the small
>sample)
This isn't really a problem though. You know that most people are
going to pick bad passwords, and since most computer users seem to be
using American developed systems, these are often English based.
>You can see that E is by far the most common letter; and that the
>RST block follows the 'proper' frequency order (T>S>R). Similarly,
>the commonly-used vowels are more frequent than all but the most
>commonly-used consonants. If you know the most commonly-used
>consonants and vowels, then you have 6-8 of the 24 letters of the
>key cracked fairly simply, just by their relative frequency.
Yes, but this isn't the key. This is the access password. Keys should
be generated using, ideally, physical events: tossing coins, rolling
dice, tracking precise motion of a bird through a three dimensional
space... Keys shouldn't be the password. The password should be purely
for the convenience of the user, especially in sensitive applications
like online finance access.
In encrypting files, this often isn't possible, but even then, it
should not be short: a longish phrase, or the contents of another file
which has no indication of this being its function would be better
than a single password. Of course, the passwording and keying depends
on the value of the data being protected. I'm not likely to be very
fussy about the password to my computer's shared drive, because there
is nothing of value on there. It's purely there to stop any network
aware virii jumping on there without me knowing about it. On the other
hand, the firewall has a long, complicated password that I know and
change regularly. If that was broken, it could cause hassle for me and
other people in the house, and cause damage to expensive equipment
(although I do know how to reset the firewall by hand...)
>Secondly, the examples you cited have recognisable fragments of
>words in them - 'dries', 'prevent', 'editing', 'taxing' - surely a
>dictionary attack is going to find these passwords *easier* to
>break than a truly random string?
Possibly. But they aren't full words, and once the dictionary attack
has been tried, most hackers would then try phrases (words strung
together) or related data they have found (the address of the
building, perhaps). Searching for fragments is not really likely, and
not much better than random searching.
>As Kerckhoff's Law mentions[1], you can't rely on an algorithm to
>keep a code secret; it has to rely on the safety of the key.
Yes. You shouldn't use any algorithm to generate passwords. You should
ideally change your methods regularly if you are protecting sensitive
data. And you shouldn't restrict yourself with arbitrary rules:
"Wednesday's passwords will always be 7 characters long, whilst
Friday's ones will start with a vowel" just gives the cryptanalyst
extra starting points if they realise.
>The minor thoughts...
>
>Firstly, if you use a single algorithm to generate a password, then
>you are generating something with a *consistent* and repeated level
>of randomness. Anything that renders the output of the key
>according to a fixed routine is a weakness, even if not a major
>one.
Yep. That is bad...
>Secondly, if the dictionary used is purely text, it does not include
>any numbers or ASCII characters; thus cutting down the number of
>possible combinations in the password - and many of the common
>dictionary attacks pay little heed to non-alphanumeric characters.
>As has been said elsewhere, the best passwords look like line
>noise.
This one is the worse problem. Good passwords, should, if possible,
contain alphanumeric stuff, a few symbols, case sensitivity and so on.
Line noise may be going a bit far, but perfect encryption is
inditinguishable from noise, so aiming for it with passwords can't be
bad thing.
>Of course, there are some things to be said in defence of the above
>method. It's better than letting people choosing their own
>passwords *unless* they're trained at choosing good ones[2].
Daft fact: quite a lot of German cryptanalysts realised that sending
"HH" down ciphered channels with each day's messages was a bad idea.
It was only when the German military decided the ciphers they were
using were broken to some extent that they stopped sending this...
>The above frequency distribution is based on a couple of hundred
>letters. Most passwords aren't a twentieth of that length; and
>assembling a reasonable distribution would involve intercepting a
>fair number of session passwords. It's not easy, and there are
>generally other means of gaining entry to a box (buffer overflows,
>open ports, unset passwords, social engineering). But, given time,
>it should work.
The weak point in a lot of passwords is often the person who has to
type them in. You can have a perfect cipher, with a perfectly random
key and an expensive security system detecting all intrusions anywhere
near your data, but if the person you give the key writes it down and
loses it...
MP (IANAC, but I have done a number of university courses on
Cryptology, coding and related subjects...)
--
'"So we can't talk about hunting, sex, cards, or the Ploughman's
Arms. What are we going to talk about then? The weather?"'
- Family Bites, Lisa Williams
Visit http://www.falboroughhall.co.uk for more on Family Bites!
Eric Jarvis
> In article
> <Pine.SOL.4.44.03052...@green.csi.cam.ac.uk>,
> Peter Ellis <pj...@cam.ac.uk> wrote:
>
> > (Bonus question: Identify the song and win a pint)
>
> How will the pint be delivered?
>
by mouth...Peter understands at least that much biology
I'm sure
Peter Ellis
> Peter Ellis <pj...@cam.ac.uk> wrote:
>
>> (Bonus question: Identify the song and win a pint)
>
>How will the pint be delivered?
In person, at whatsoever meet, CCDE or Con we both attend, or (should same
prove impracticable within a reasonable time limit) by proxy to some
nominated second, who can then pass it on as appropriate, through however
many levels of indirection become necessary.
Peter
Richard Bos
> Gideon Hallett <diog...@freeuk.com> wrote in message news:<bb0moi$lt9$1...@library.lspace.org>...
> > Secondly, the examples you cited have recognisable fragments of
> > words in them - 'dries', 'prevent', 'editing', 'taxing' - surely a
> > dictionary attack is going to find these passwords *easier* to
> > break than a truly random string?
>
> No. The password encryption algorithm of choice these days is MD5,
> which works one way only[1].
I think you do not know what a dictionary attack is. You do not need to
decode the hashes - all you have to do is _encode_ the dictionary words
and see if a hash happens to match.
> Very occasionally the password generating
> algorithm will spit out a dictionary word, but obviously you wouldn't
> use that as a password.
And Gideon just said that your examples _do_ contain dictionary words.
Richard
Richard Bos
> > ...we regularly pass a couple of places on the Welsh/English border
> > which sound like they really belong in XXXX, these being "Ganerew" and
> > "Crockers Ash". Are there other "out of place" town names around that
> > seem to have been transported that people have spotted?
>
> Yup, New Zealand. We should be part of holland, not SE of Australia ;)
Since when is Zeeland part (rather than a separate province to the south
of) Holland?
And, of course, the same thing could be said of Tasmania, Van
Diemensland, New Amsterdam, and Holland, Michigan. It's kinda the point
of being a colony...
Richard
X Kyle M Thompson
> Are there other "out of place" town names around that
> seem to have been transported that people have spotted?
Budleigh Salterton, down in Devon near Sidmouth (UK).
Sounds to me like a load of people came down from Yorkshire and brought
their villiage name with them!
kt.
--
"It depends on the location - if a penguin were on a
branch in a nearby tree you could get very close"
Ernie Brookings on Penguins in "The Duplex Planet"
Lodestone
news:bb0o8o$nub$1...@library.lspace.org...
> Lodestone wrote:
> > "PeterH" <pete...@yahoo.co.uk> wrote in message
> > news:7729e40e.0305...@posting.google.com...
> >> searches through your computer's dictionary and spits out common
> >> letter combinations. You then randomly put them back together and
> >> voila! Passwords that you can actually say.
> >
> > I think...
> >
> >> teditingstrindee
> >
> > ...is the winner. With slight modification to "Teddington Strindee"
> > it could easily be a small English town :-D
>
I meant the winner for the aumesment factor, dear :-)
--
Lodestone
Love, Music, Wine and Revolution
http://www11.brinkster.com/lodestone/chocolatelightbulb.htm
Kegs
> For example, I tend to generate passwords by taking random stretches of
> song lyrics (and not usually English), and making an acrostic complete
> with relevant punctuation. Mixes alpha- and non-alpha characters, both
> cases, and buggers up any attack based on letter frequency, since the
> frequencies for letters at the *start* of words certainly doesn't match
> the frequencies for bulk text.
You can also use mnemonics, such as tmtowtdi or tanstaafl[1] to create
easy to remember but pretty robust passwords, especially if you add odd
capitalisation and substitute numbers for words, ie 4 for for and 1 for
one.
I have seen it suggested that an algorithm could be used for generating
admin passwords where more than one person needs privileged access,
theres an example in Essential System Administration, but that falls
down badly if someone knows what algorithm is used and either has
physical access to the box, or knows the relevant details[2].
[1] These are really bad examples, obviously.
[2] The algorith given used certain attributes of the box, such as
manufacturer, OS version and host name to give a password that was
pretty secure against more password cracking programs, but could be
easily worked out by someone sat in front of the box who know the
algorithm, so that failing to notify all admins of the new password
wasn't such a problem.
--
James
jamesk[at]beeb[dot]net
Everybody should believe in something: I believe I'll have another drink.
Jeremy C B Nicoll
Eric Jarvis <w...@ericjarvis.co.uk> wrote:
> how would the pronounceable passwords work if random letters had a
> "number substitution"?...one of the techniques I've encountered is
> taking words chosen by the user and then substituting "0" foe "o",
> "4" for "a" etc...
Main problem is that zero for "o", 1 for "i" or "l" etc is so common
that I'd imagine anyone trying a dictionary-like attack would routinely
try the common substitutes too.
MP
Bos) wrote:
>pete...@yahoo.co.uk (PeterH) wrote:
>
>> Gideon Hallett <diog...@freeuk.com> wrote in message news:<bb0moi$lt9$1...@library.lspace.org>...
>> > Secondly, the examples you cited have recognisable fragments of
>> > words in them - 'dries', 'prevent', 'editing', 'taxing' - surely a
>> > dictionary attack is going to find these passwords *easier* to
>> > break than a truly random string?
>>
>> No. The password encryption algorithm of choice these days is MD5,
>> which works one way only[1].
>
>I think you do not know what a dictionary attack is. You do not need to
>decode the hashes - all you have to do is _encode_ the dictionary words
>and see if a hash happens to match.
Yep. But the dictionary words won't match the hash, even if part of a
word is in there. The hash used should be quite unstable, so if you
change just a small part of the input, a large chunk of the output
changes.
>> Very occasionally the password generating
>> algorithm will spit out a dictionary word, but obviously you wouldn't
>> use that as a password.
>
>And Gideon just said that your examples _do_ contain dictionary words.
Doesn't matter. Just about any random string of letter will contain
parts of words: "ybgiohjbvcrcvionjklvfycyuv", for example (generated
by turning away from the keyboard and hitting it with a small stuffed
animal, then deleting all the non-alphabet characters, pop-up messages
from the program and so on), contains the common endings "ion", "fy",
"cy" and the common start "cr". The hash used should still be pretty
unintelligible.
The string above, when coded with MD5 gives:
898acc57f3ecd104a7b87ac684dd562c
Changing the last "v" to a "w" gives:
e2cb7bb3276972ed9fe512ef67be7394
The string "abcdefghijklmnopqrstuvwxyz" gives:
c3fcd3d76192e4007dfb496cca67e13b
Obviously, they are all different, but even changing just one letter
by 1 ASCII value changed the entire string.
The hash should be sufficient to scramble all traces of dictionary
words, and since the words are not complete, they should be secure,
providing a good hash has been used. If, by some chance, the algorithm
Peter found did produce a known word, then you'd hope that the user
would spot this, but this would be part of the user training for the
system and not a weakness with the passwords themselves.
MP
Suzi
alt.fan.pratchett, X Kyle M Thompson <ne...@buggrit.co.uk> wibbled...
> Suzi wrote:
> > Are there other "out of place" town names around that
> > seem to have been transported that people have spotted?
>
> Budleigh Salterton, down in Devon near Sidmouth (UK).
I'm going there next week. I'd've described it as near Exmouth, but each
to their own :-)
> Sounds to me like a load of people came down from Yorkshire and brought
> their villiage name with them!
I quite like driving to the parents and passing "Buckland"
Suzi
Matt
> On Wed, 28 May 2003, Murk wrote:
>>
>> Generally I use the rule of thumb that says if you can remember
>> your password in a simpler fashion than remembering the password
>> itself, then chances are it's a bad one (i.e. it has redundancy).
>
> Useful rule of thumb, but breaks somewhat when you consider that
> what a human brain may find "simple" doesn't necessarily correspond
> to computational simplicity.
I tend to generate passowords in 1337, always easy to remember, very,
very difficult to crack.
Something that's still memorable.
p455w0rd
--
Matt
Kegs
> I tend to generate passowords in 1337, always easy to remember, very,
> very difficult to crack.
>
> Something that's still memorable.
>
> p455w0rd
unfortunately most easily available password cracking libs will not
only laugh heartily at leet-speaked passwords before going through them
like a dose of salts, but they will also cope with most simple
transpositions[1] as well.
[1] like moving one key to the right or diagonally
--
James
jamesk[at]beeb[dot]net
For 20 dollars, I'll give you a good tagline next time ...
war...@affordable-afpers.co.uk
says...
> Jeremy C B Nicoll <Jer...@omba.demon.co.uk> wrote:
>
> > Better is a generating passwords as something like:
> >
> > <consonant><vowel><consonant><vowel><consonant><digit><digit><digit>
> >
> > It's always fairly pronounceable and it isn't ever actually a word.
>
> money123 would be got by a dictionary attack.
>
> The point is a valid one, I just couldn't leave people thinking that any
> single algorithm is a good one.
>
> password in a simpler fashion than remembering the password itself, then
> chances are it's a bad one (i.e. it has redundancy).
I dunno. As the password has changed now for the company I'll refer to
and has acquired an equally nasty password I can let this one out of the
bag.
One of my clients had a company name of Whistler (and they've changed
that too). When the developers got a bit handya and started playing on
the network with the "known by every bugger" root passwords and broke
some stuff badly, we implemented a new password for root along with all
the other security stuff done.
!James8Abbott7McNeil!
Was it for a while. You could reconstruct the password with knowledge
and guesswork and it'd help if you had been told the thinking behind it.
Having seen the password I don't expect it'll take anyone more than 5
minutes of google time to work it out. I'm not going to tell the current
name of the company, the nasty things I came up with to replace the
password. I *can't* recall the current one and *have* to construct it
when I need to so I doubt it'd be open to a dictionary attack.
Warwick
Andrew Gray
affordable-afpers.co.uk wrote:
>
> Having seen the password I don't expect it'll take anyone more than 5
> minutes of google time to work it out. I'm not going to tell the current
> name of the company, the nasty things I came up with to replace the
> password. I *can't* recall the current one and *have* to construct it
> when I need to so I doubt it'd be open to a dictionary attack.
Sometime last year, I heard tell of possibly my favourite one yet (I
believe now no longer in use, by whoever was using it anyway):
<bra|ket>
I was greatly amused :-)
--
-Andrew Gray
shim...@bigfoot.com
Mary Kay, Librarian
news:MPG.193e099b8...@nntp.netcomuk.co.uk...
> ...we regularly pass a couple of places on the Welsh/English border
> which sound like they really belong in XXXX, these being "Ganerew" and
> seem to have been transported that people have spotted?
Well, in Conception Bay, Newfoundland, there's Dildo and Dildo Run.
Apparently, there's a rubber factory at one of the places :)
There's a story (and it's so old, I can't remember where I heard it or if
it's actually true) about a town in Northern Ontario that changed its name
to Dire Straights. It had something to do with taxation, and the only
people who would be exempt from the tax were those who lived in dire
straights. (I don't think it stuck, though)
And near my cousins' in rural Nova Scotia, there's a Round Tuit Road [1].
I've always wanted to steal the sign, but I'm too law-abiding.
[1] You know how you tell someone you'll do <fitb> when you get around to
it? Get it? Round Tuit?
MK :)
Orjan Westin
news:bb3qce$5ekh3$1...@ID-186609.news.dfncis.de...
> Well, in Conception Bay, Newfoundland, there's Dildo and Dildo Run.
> Apparently, there's a rubber factory at one of the places :)
Is that an American, British, or generic name of material rubber?
Orjan
Lodestone
--
Lodestone
Love, Music, Wine and Revolution
http://www11.brinkster.com/lodestone/chocolatelightbulb.htm
"Orjan Westin" <nos...@cunobaros.demon.co.uk> wrote in message
news:bb4j5i$5n2vh$1...@ID-90122.news.dfncis.de...
Er... no.
A dildo is an... Intimate toy, lady's pleasure (generally), for the use of.
--
Lodders
PeterH
> pete...@yahoo.co.uk (PeterH) wrote:
[schnip]
>
> > Very occasionally the password generating
> > algorithm will spit out a dictionary word, but obviously you wouldn't
> > use that as a password.
>
> And Gideon just said that your examples _do_ contain dictionary words.
My mistake - I should have said that the algorithm will very
occasionally spit out a password which is, in its entirety, a word
from the dictionary.
--
PeterH
www.blurty.com/users/peterhjr
Brian Howlett
[...not sure who wrote this bit...]
>> Is that an American, British, or generic name of material rubber?
>
> Er... no.
>
> A dildo is an... Intimate toy, lady's pleasure (generally), for the
> use of.
>
Lodestone------------------------------------------------------------->.
In Merkia, "rubber" = "condom", in UKia, "rubber" = "eraser", in
Generia, "rubber" = "rubber"...
--
Brian Howlett - reply-to address IS genuine - just an experiment...
------------------------------------------------------------------------
"A man with a briefcase can steal more money than any man with a gun"...
- Don Henley
Orjan Westin
news:bb4m8h$6sd$1...@newsg2.svr.pol.co.uk...
> "Orjan Westin" <nos...@cunobaros.demon.co.uk> wrote in message
> news:bb4j5i$5n2vh$1...@ID-90122.news.dfncis.de...
> > "Mary Kay, Librarian" <rlar...@niagararc.com> wrote in message
> > news:bb3qce$5ekh3$1...@ID-186609.news.dfncis.de...
> >
> > > Well, in Conception Bay, Newfoundland, there's Dildo and Dildo Run.
> > > Apparently, there's a rubber factory at one of the places :)
> >
> > Is that an American, British, or generic name of material rubber?
>
> Er... no.
>
> A dildo is an... Intimate toy, lady's pleasure (generally), for the use
of.
Granted. But is the rubber factory producing
Am. rubbers = condoms
Br. rubbers = pencil eraser
Things, like dildos although they're usually made of latex or "jelly" these
days, made out of the material known as rubber?
This will affect the humorous value of the observation.
I bet I've confused the American and British meaning though. If so, I'm
hardly the first.
Orjan
Lodestone
news:b4bb24fa...@btinternet.com...
> On 29 May, "Lodestone" <lode...@microsoft.com> wrote:
>
> [...not sure who wrote this bit...]
> >> Is that an American, British, or generic name of material rubber?
> >
> > Er... no.
> >
> > A dildo is an... Intimate toy, lady's pleasure (generally), for the
> > use of.
> >
> Lodestone------------------------------------------------------------->.
>
> In Merkia, "rubber" = "condom", in UKia, "rubber" = "eraser", in
> Generia, "rubber" = "rubber"...
Oh, *that's* what she was asking. Er. Blast. I've made an arse of myself.
*runs away*
Orjan Westin
> "Brian Howlett" <Brian_...@btinternet.com> wrote in message
> news:b4bb24fa...@btinternet.com...
> > On 29 May, "Lodestone" <lode...@microsoft.com> wrote:
> >
> > [...not sure who wrote this bit...]
Orjan. Which you had attributed in you original message. Don't you keep
copies of your wit for posterity, in case Google is taken over by Al-Qaida?
> Oh, *that's* what she was asking.
She? You know Orjan, who's also thinly disguised as Westala, the tall,
bearded, swordwielding North/man/?
> Er. Blast. I've made an arse of myself.
Twice.
> *runs away*
Run as much as you want, boy. You're on an island, and I will find you.
Until then, I suggest you live in terror.<eg>
Orjan
Lodestone
> "Lodestone" <lode...@microsoft.com> wrote in message
> news:bb5485$pho$1...@newsg1.svr.pol.co.uk...
> > "Brian Howlett" <Brian_...@btinternet.com> wrote in message
> > news:b4bb24fa...@btinternet.com...
> > > On 29 May, "Lodestone" <lode...@microsoft.com> wrote:
> > >
> > > [...not sure who wrote this bit...]
>
> Orjan. Which you had attributed in you original message. Don't you keep
> copies of your wit for posterity, in case Google is taken over by
Al-Qaida?
>
> > Oh, *that's* what she was asking.
>
> She? You know Orjan, who's also thinly disguised as Westala, the tall,
> bearded, swordwielding North/man/?
That's the second time I've misgendered an AFPer. *grovels*
> > Er. Blast. I've made an arse of myself.
>
> Twice.
Well, rather more than that, if we examine past events. I think I shall just
have to reisng myself to arsehood.
> > *runs away*
>
> Run as much as you want, boy. You're on an island, and I will find you.
> Until then, I suggest you live in terror.<eg>
*cowers*
Torak
Actually, the late master of my college, who died at Christmas, wrote the
Cambridge University Press (or maybe Oxford, but I think it was Cam)
Dictionary Of English Placenames, to be published this spring. Written by
Victor Watts, might interest you guys.
Sanity
"Lodestone" <lode...@microsoft.com> wrote, quoting Miss Orjan:
> > Until then, I suggest you live in terror.<eg>
>
> *cowers*
I think this is a job for....
SuperSanity!
TTFN,
Michel AKA Sanity
--
"Sanity shall make ye -ing fret": | "A cat has 40 million hairs: 5
www.affordable-prawns.co.uk | million on its back, 10 million on
www.affordable-hedgehogs.co.uk | its belly, and 25 million on your
Check the AFPChess Tournament! | couch." --Midas Dekkers
Sylvain Chambon
> SuperSanity!
Being so sane as to reach madness from the other end, is it?
Or maybe something akin to being knurd -- being so sane one sees the
world as it really is rather than through our normal layers of
disillusion?
...
Nah, I'll pass, and take plain old sub-sanity any day.
Sylvain.
Dom
>On 29 May, "Lodestone" <lode...@microsoft.com> wrote:
>
>[...not sure who wrote this bit...]
>>> Is that an American, British, or generic name of material rubber?
>>
>> Er... no.
>>
>> A dildo is an... Intimate toy, lady's pleasure (generally), for the
>> use of.
>>
>Lodestone------------------------------------------------------------->.
>
>In Merkia, "rubber" = "condom", in UKia, "rubber" = "eraser", in
>Generia, "rubber" = "rubber"...
Yep. In Merkia a 'rubber' prevents mistakes before the happen,
whereas in Yuckia it corrects them afterwards;-)
(I'll just get my English Overcoat)
--
Dom
afpSlave to CCA
Thomas Hamann
and, after some blank staring at the equally blank sky, thought:
>"Matt" <mattbl...@hotmail.com> writes:
>
>> I tend to generate passowords in 1337, always easy to remember, very,
>> very difficult to crack.
>>
>> Something that's still memorable.
>>
>> p455w0rd
>
>unfortunately most easily available password cracking libs will not
>only laugh heartily at leet-speaked passwords before going through them
>like a dose of salts, but they will also cope with most simple
>transpositions[1] as well.
>
>[1] like moving one key to the right or diagonally
I think I once took my birth date (Yuropean date format, not those
weirdo US formats that most people seem to think of first), reversed
the order of the birth date part by part, and then wrote it out as a
string of numbers.
I suppose I could have leet-speaked it, inverse-numbered it, and
swapped some stuff around.
Thomas Hamann
--
Personal Website: http://evilskylark.tripod.com/
Rec.Arts.Anime.Models Posting Policies: http://evilskylark.tripod.com/faqs.htm
"...you ain't no different than Ben Laden..." - The emminent Dr. J ranting about me on alt.toys.transformers.
Maaike
<nos...@cunobaros.demon.co.uk> wrote:
[Dildo]
>Granted. But is the rubber factory producing
>Am. rubbers = condoms
>Br. rubbers = pencil eraser
>Things, like dildos although they're usually made of latex or "jelly" these
>days, made out of the material known as rubber?
>
>This will affect the humorous value of the observation.
Unfortunately for the joke, I have never noticed a rubber factory on
the (admittedly few) occasions I have passed through the place. (A
b&b, yes, which apparently does a roaring business with tourists with
silly senses of humour, but no rubber factory.)
-Maaike
Steve James
> Jeremy C B Nicoll <Jer...@omba.demon.co.uk> wrote:
>
> > Better is a generating passwords as something like:
> >
> > <consonant><vowel><consonant><vowel><consonant><digit><digit><digit>
> >
> > It's always fairly pronounceable and it isn't ever actually a word.
>
> money123 would be got by a dictionary attack.
>
> The point is a valid one, I just couldn't leave people thinking that any
> single algorithm is a good one.
>
> Generally I use the rule of thumb that says if you can remember your
> password in a simpler fashion than remembering the password itself, then
> chances are it's a bad one (i.e. it has redundancy).
>
When our company moved from local networks to a global one we had to ensure that
everyone would use secure passwords. I had the job of setting up the scheme and
then training the trainers to teach "How to create and remember a secure password"
Our passwords Must be changed every month and you cannot reuse a password
within the previous 12 months - it must be at least 8 character and contain at least
one capital, one lower case and one numerical digit. For better security a symbol, such
as comma, colon, etc should be included.
A few techniques I came up with [after extensive research 8)]
1. Find a saying you can remember and use the first letter of each word
TAMAHER (The Amazing Maurice ...)
TBONTOTITQ (To Be or Not To Be ...)
2. Decide how you will capitalise the 'word'
Tamaher or tamaheR
Tbontbtitq or tbontbtitQ
3. Decide on a digit (I = 1, O = 0, A = 4, etc) and how to apply it
T4m4her or t4maheR
Tb0ntbt1tq or tb0ntbtitQ
Finally add a symbol if appropriate
Tb0^tbt1tq or tbOntbt:tQ
From this you can write down a prompt
Terry P and the Pied Piper
Hamlet's Soliloquy
We used to run regular scans of user passwords and was surprised just how basic some were.
We would e-mail those we cracked that they would have to change their passwords, and then
force them to do so.
In one case the password of the tech support manager was repeatedly a girl's name. I challenged
him that they wee his wife and children's names only to discover they were not. He used the
most recent masseuse he had used!
Steve (Steeljam) *BF DAcFD (UU) *
Resident Opsimath in Redivivus Studies
Steve James
To bring the Australians in to the discussion "How about Durex"
Getting this wrong could be very painful.
If an American goes out in vest and pants no one notices
If an Englishman goes out in vest and pants he is a jogger or is arrested.
Andrew Gray
James wrote:
> To bring the Australians in to the discussion "How about Durex"
> Getting this wrong could be very painful.
It's only painful one way, but bloody ineffective either way...
--
-Andrew Gray
shim...@bigfoot.com
Lady Kayla
> In article <memo.20030530...@steeljam.compulink.co.uk>, Steve
> James wrote:
>> To bring the Australians in to the discussion "How about Durex"
>> Getting this wrong could be very painful.
> It's only painful one way, but bloody ineffective either way...
I'd suggest that it would be painful both ways... but that the
recipient of the pain would vary.
--
Lady Kayla http://designs.ladykayla.org/
"Does anybody else think that W2K actually is doing what Y2K only
dreamed of?" - Larry Sheldon on nanog
Bruce Murphy
> When our company moved from local networks to a global one we had to
> ensure that everyone would use secure passwords. I had the job of
> setting up the scheme and then training the trainers to teach "How
> to create and remember a secure password" Our passwords Must be
> changed every month and you cannot reuse a password within the
> previous 12 months - it must be at least 8 character and contain at
> least one capital, one lower case and one numerical digit. For
> better security a symbol, such as comma, colon, etc should be
> included.
Unfortunately, this sort of thing generally leads to *less* secure
passwords. Forcing people to change passwords very regularly with
very draconian rules tends to get passwords like
"Biscuit1" "Biscuit2" etc.
B>
Mary Kay, Librarian
"Orjan Westin" <nos...@cunobaros.demon.co.uk> wrote in message
news:bb4j5i$5n2vh$1...@ID-90122.news.dfncis.de...
Oh - the generic type of rubber. I think it's a tire (or tyre, for the
Rightpondians) factory, but it causes much more hilarity if you don't
specify which type of rubber ;)
MK :)
Mary Kay, Librarian
news:knmcq8tc73qu2tvvm...@4ax.com...
I'm not sure if it's in Dildo proper, but it's in the general area of the
place. I can't picture the area on the map very well, but there was
another place near by that it could have been in.
MK :)
(This reply may be hilariously misinterpreted as anyone sees fit :)
Aquarion
I refer you all to the Arrogant Worms song: "Spend a night in Dildo"
(Listen to the song, by preference, but in case you can't:
http://www.geocities.com/super_dude.geo/album2.htm#2-8
--
Aquarion, http://www.aquarionics.com, aqua...@suespammers.org
"Chain of command is the backbone of
military structure and must be strictly
obeyed" -F. Christian
Andrew Gray
Kayla wrote:
>
>> It's only painful one way, but bloody ineffective either way...
>
> I'd suggest that it would be painful both ways... but that the
> recipient of the pain would vary.
I meant "one item confused with the other" as opposed to "one way round
confused with the other"... um... yes, that way, it could be painful
despite facing...
(I mean, using the UK term where the AU term is called for wouldn't
hurt, it just wouldn't do anything useful... <g>)
--
-Andrew Gray
shim...@bigfoot.com
Orjan Westin
news:cu1wug8...@nokia.com...
> "Orjan Westin" <nos...@cunobaros.demon.co.uk> writes:
>
> > Is that an American, British, or generic name of material rubber?
>
> when he asked "has someone pinched my rubber?"
I met an American woman who's married to an Englishman, and the first time
she met his parents and aunts, she apologised before she sat down, fumbling
under he long jumper and saying saying "I've just got to adjust my fanny
pack".
Orjan
Bruce Murphy
> Bruce Murphy <pack...@rattus.net> writes:
>
> > Unfortunately, this sort of thing generally leads to *less* secure
> > passwords. Forcing people to change passwords very regularly with
> > very draconian rules tends to get passwords like
> >
> > "Biscuit1" "Biscuit2" etc.
>
> A common occurence of such wierd rules is that people write down the
> passwords and put them in their desk drawers or taped underneath
> their keyboards. Having to change paswords more than once a year
> is absurd.
It depends on what's being done. If it's critically important and has
to be done by ordinary non-tech users then passwords really aren't the
way to go.
B>
Matt
> "Matt" <mattbl...@hotmail.com> writes:
>
>> I tend to generate passowords in 1337, always easy to remember,
>> very, very difficult to crack.
>>
>> Something that's still memorable.
>>
>> p455w0rd
>
> unfortunately most easily available password cracking libs will not
> only laugh heartily at leet-speaked passwords before going through
> them like a dose of salts, but they will also cope with most simple
> transpositions[1] as well.
>
> [1] like moving one key to the right or diagonally
Ouch!
Could they cope with missing letters? Like typing ^H to delete a
letter, which means the password is still memorable? I expect so.
What *can't* they cope with? I'll go and read some more of the thread
first to answer that.
--
Matt
Sanity
wrote:
> Bruce Murphy <pack...@rattus.net> writes:
>
> > Unfortunately, this sort of thing generally leads to *less* secure
> > passwords. Forcing people to change passwords very regularly with
> > very draconian rules tends to get passwords like
> >
> > "Biscuit1" "Biscuit2" etc.
>
> A common occurence of such wierd rules is that people write down the
> passwords and put them in their desk drawers or taped underneath
> their keyboards.
But oh so easy if for some reason I need to login as someone else at
work. All you need to remember is the name of their
partner/kids/dog/cat/other pet. The real challenge is when they have
all... ;-)
> Having to change paswords more than once a year
> is absurd.
That depends on the circumstances. At my work, you need to be in the
building and know the people. Even then there might be unexpected
numbers in the password. For my own server, which is connected to the
big bad internet, I try to choose secure passwords for myself.
Steve James
I argued against the change rule but the Risk Department demanded it.
95% of the users didn't really do jobs that required such security.
The other annoying thing was that 14 days before the password change
was required you got a "Your password requires changing in xx days -
do you want to change it now" appearing every time you logged on.
It didn't take me long to find the registry entry so I got it the day before
only.
Maaike
<aqua...@suespammers.org> wrote:
>In article <bb6i9j$6a9q8$1...@ID-186609.news.dfncis.de>, Mary Kay, Librarian wrote:
[Dildo rubber factory]
>> I'm not sure if it's in Dildo proper, but it's in the general area of the
>> place. I can't picture the area on the map very well, but there was
>> another place near by that it could have been in.
I've asked the boyfriend[1], but he can't think of anything likely. He
has a friend who lives five minutes from the place, though; we're
going out the bay soon, so I'll ask him and report back.
>I refer you all to the Arrogant Worms song: "Spend a night in Dildo"
>(Listen to the song, by preference, but in case you can't:
>http://www.geocities.com/super_dude.geo/album2.htm#2-8
Right, these people are transcribing unfamiliar names and are bound to
make a few mistakes in the process (Quidi Vidi -> Kittybitty, for
one), but does anyone have any clue WTF "Wophen Harbour" is supposed
to be? Kyle?
-Maaike
[1] From Bay Roberts! Near, but *not*, I want to make this perfectly
clear, *not* in Dildo![2]
[2] He wants it known, as long as the conversation is drifting around
risque place-names, that near Dildo one can find the less-famous, but
funnier, town of Dildo Head.
David McCoy
> "Orjan Westin" <nos...@cunobaros.demon.co.uk> wrote in message
> news:bb559r$5u12f$1...@ID-90122.news.dfncis.de...
> > "Lodestone" <lode...@microsoft.com> wrote in message
> > news:bb5485$pho$1...@newsg1.svr.pol.co.uk...
> > > "Brian Howlett" <Brian_...@btinternet.com> wrote in message
> > > news:b4bb24fa...@btinternet.com...
> > > > On 29 May, "Lodestone" <lode...@microsoft.com> wrote:
<snip>
> Well, rather more than that, if we examine past events. I think I shall
just
> have to reisng myself to arsehood.
>
which shows you are a reasonable human being.
Spider Robinsons Law* : Everybody is an asshole. The world divides into two
groups, those who recognise this quality in themselves and others, and those
who don't, thereby compounding their assholeness. Ok that's a paraphrase but
hopefully you get the idea.
*unashamed plug for another author. Spider Robinson - LifeHouse, Baen Books
ISBN 0-671-87777-1. Read it, hell read any of his books.
David
--
Is it possible to be an arsehole when you have an ileostomy? :)
Dragon Prince
stee...@cix.co.uk says...
>
> If an American goes out in vest and pants no one notices
> If an Englishman goes out in vest and pants he is a jogger or is arrested.
or possibly listening to PWEI...
--
'Sfar as I know, just as a motion to adjourn is always in order,
discussions of chocolate are always on topic ;-).
Elizabeth ABT-H
Mary Kay, Librarian
> > Run as much as you want, boy. You're on an island, and I will find
you.
> > Until then, I suggest you live in terror.<eg>
>
> *cowers*
*sigh* Mr. Westin, are you scaring the children again?
MK :)
Richard Bos
> On Wed, 28 May 2003 14:24:16 GMT, r...@hoekstra-uitgeverij.nl (Richard
> Bos) wrote:
>
> >pete...@yahoo.co.uk (PeterH) wrote:
> >
> >> Gideon Hallett <diog...@freeuk.com> wrote in message news:<bb0moi$lt9$1...@library.lspace.org>...
> >> > Secondly, the examples you cited have recognisable fragments of
> >> > words in them - 'dries', 'prevent', 'editing', 'taxing' - surely a
> >> > dictionary attack is going to find these passwords *easier* to
> >> > break than a truly random string?
> >>
> >> No. The password encryption algorithm of choice these days is MD5,
> >> which works one way only[1].
> >
> >I think you do not know what a dictionary attack is. You do not need to
> >decode the hashes - all you have to do is _encode_ the dictionary words
> >and see if a hash happens to match.
>
> Yep. But the dictionary words won't match the hash, even if part of a
> word is in there. The hash used should be quite unstable, so if you
> change just a small part of the input, a large chunk of the output
> changes.
Of course. However, if you know that the password is likely to contain
natural words, it's much easier to generate attempted passwords than if
you know you're going to have to run the whole gamut from !!!!!!!!
through Bh7k3^&p to ~~~~~~~~.
_Any_ suspected presence of dictionary words, even if accompanied by
random characters, is going to reduce the attack time greatly. The only
way in which an algorithm which generates p@ssw0rd is going to be truly
safe is if it also generates y6:0d!?Q, and with the same probability.
This does not mean, of course, that this password generation algorithm
may not be useful for many practical purposes. It probably is, because
hardly anybody needs NSA-strength encryption. But it _is_ something
every user must be aware of.
Richard
Axel Kielhorn
> But oh so easy if for some reason I need to login as someone else at
> work. All you need to remember is the name of their
> partner/kids/dog/cat/other pet. The real challenge is when they have
> all... ;-)
"Do you have a new girlfriend?"
"Yes, how do you know?"
"You changed your password."
Axel
--
I'm doing this for your own damn good
You'll make up for what I blew
What's the problem ... Why are you crying
"Perfect" by Alanis Morissette
PussInSpooks
>Unfortunately, this sort of thing generally leads to *less* secure
>passwords. Forcing people to change passwords very regularly with
>very draconian rules tends to get passwords like
>
>"Biscuit1" "Biscuit2" etc.
Indeed.... the setup for our computers at work requires a new password every
few months, unfortunately it will let you enter your existing password as the
new one.
Rhiannon S
>From: pussin...@aol.com (PussInSpooks)
>Date: 03/06/2003 19:30 GMT Daylight Time
>Message-id: <20030603143054...@mb-m10.aol.com>
>
>>From: Bruce Murphy pack-news
>
>>Unfortunately, this sort of thing generally leads to *less* secure
>>passwords. Forcing people to change passwords very regularly with
>>very draconian rules tends to get passwords like
>>
>>"Biscuit1" "Biscuit2" etc.
>
>Indeed.... the setup for our computers at work requires a new password every
>few months,
My work is much the same, we change our access password every month. However
our manager got complaints from the tech desk that some people were using
'innapropriate' words as passwords [companyname]aresh*t and so on. So now by
company rules we still change our password every month, but the formula is
"password" "Password1" "Password2" "Password3" and then reset it again at
"password". Anyone else think Dilbert is really a documentary?
****************************
Rhiannon
http://www.members.aol.com/mddestiny/entrypage.html
ClipclopclipclopBANGBANGclipclopclip
-- Amish driveby shooting
jester
<mdde...@aol.comlemon> wrote:
>
>My work is much the same, we change our access password every month. However
>our manager got complaints from the tech desk that some people were using
>'innapropriate' words as passwords [companyname]aresh*t and so on.
My immediate question would be "How do they know?"
>So now by company rules we still change our password every month, but the
>formula is "password" "Password1" "Password2" "Password3" and then reset
>it again at "password". Anyone else think Dilbert is really a documentary?
We've known that for a long time.
What exactly do they think the point of a password is?
--
Andy Brown
Command, n.:
Statement presented by a human and accepted by a computer in
such a manner as to make the human feel as if he is in control.
Thomas Hamann
staring at the equally blank sky, thought:
>What exactly do they think the point of a password is?
>
enter some stupid letters at a moment this should not be needed. They
are clearly some sort of intentional bug and the retarded programmer
who puts them in should be fired immediately.
Jeremy C B Nicoll
Darin Johnson <da...@usa.net> wrote:
> mdde...@aol.comlemon (Rhiannon S) writes:
> > My work is much the same, we change our access password every
> > month. However our manager got complaints from the tech desk that
> > some people were using 'innapropriate' words as passwords
> > [companyname]aresh*t and so on.
> That's the quickest way to find out if your system is secure. If the
> admins complain about the content of passwords it means that (1)
> the passwords are not encrypted, and (2) the admins have no qualms
> about peeking.
Not necessarily; the people who set these stupid passwords might be
telling the admins what they are when they want problems fixed.
As to stupid values, why don't all systems have code that validates new
password values and rejects ones with company name, weekdays, variants
on the person's name, prior values etc? It's not rocket science.
--
Jeremy C B Nicoll - my opinions are my own.
SteveL
so that I can read them out to users down the phone. If you only allow
numbers, people don't write silly messages.
"Rhiannon S" <mdde...@aol.comlemon> wrote in message
news:20030604111023...@mb-m02.aol.com...
Len Oil
> Not necessarily; the people who set these stupid passwords might be
> telling the admins what they are when they want problems fixed.
As a corollary, it was policy at one point in our support department that
if someone forgot their password, it would be reset (with the requirement
to be changed on next login) to something like "sillyidot" (never outright
offensive, but you get the idea). the practice only died out when some of
the newer employees didn't get the joke...
--
AFP Code 2.0: AC$/>M-UK d@(--) s:+>- a- UP+ R+++ F++ h- P3x= OSD+:-- ?C M--
L pp--- I->** W+ c@ B+ Cn::::+ CC- PT+>+++ Pu* 5+>++ X-- MT++ eV+(++-) r*
y+ end
Nigel Stapley
"Len Oil" <len...@lenoil.demon.co.uk> wrote in message
news:bfpj0j$lei$1$8300...@news.demon.co.uk...
> "Jeremy C B Nicoll" <Jer...@omba.demon.co.uk> wrote:
> > Not necessarily; the people who set these stupid passwords might be
> > telling the admins what they are when they want problems fixed.
>
> As a corollary, it was policy at one point in our support department that
> if someone forgot their password, it would be reset (with the requirement
> to be changed on next login) to something like "sillyidot" (never outright
> offensive, but you get the idea). the practice only died out when some of
> the newer employees didn't get the joke...
One of my colleagues recently had to change his (after I had had to change
it for him).
One of the three alternatives he was presented with on logging back in was
"gay-hob-nob"
That really took the biscuit.
My coat? Too warm for that, I'll find my own way out thanks.....
Regards,
Nigel Stapley
Dom
>"Jeremy C B Nicoll" <Jer...@omba.demon.co.uk> wrote:
>> Not necessarily; the people who set these stupid passwords might be
>> telling the admins what they are when they want problems fixed.
>
>As a corollary, it was policy at one point in our support department that
>if someone forgot their password, it would be reset (with the requirement
>to be changed on next login) to something like "sillyidot" (never outright
>offensive, but you get the idea). the practice only died out when some of
>the newer employees didn't get the joke...
One place where I used to work, we had to deal with people who forgot
their passwords (usually after they'd changed them on a Friday afternoon
after a session down the social club).
They were innocent times. User would ring up and say "Forget my password".
We'd look it up and tell them what it was.[1]
Once, the first day back at work after the festive season, someone rang
me and asked.
I looked it up.
It was "W A N K E R".
I told him that I couldn't find out what it was, but I could reset it for
him.
Afterwards the whole team collapsed laughing.
[1] This was changed many years later, so the admin screen didn't show
the password[2].
[2] But I did set up a backdoor, so if I forgot my own password I could
find it out without the rest of the team knowing.
--
Dom
afpSlave to CCA
Len Oil
> to be changed on next login) to something like "sillyidot" (never
outright
An [I]-tag went astray the other day, as well.
Is there a conspiracy?
Is it the Auditors?
Am I just getting sloppy at typing?
To find out, tune in next week. Same Bat-time, same Bat-channel!
(uh-oh, thin watches approaching... <ahem>)
Robert Carnegie
<len...@lenoil.demon.co.uk> writes
>"Len Oil" <len...@lenoil.demon.co.uk> wrote:
>> to be changed on next login) to something like "sillyidot" (never
>outright
> There was supposed to be an "i" inserted just here ^, of course.
>
>An [I]-tag went astray the other day, as well.
>
>Is there a conspiracy?
>Is it the Auditors?
>Am I just getting sloppy at typing?
O pehaps you keyboad has a poblem with one of the lettes. Tht
kind of nnoynce may be intemittent; t times it woks nd at othe
times it fails to wok. I've killed a couple of keybod spacebas in my
time, nyway - nd as payback have lso gadully wecked both hnds.
Seiously. I hve to wea wist splints now. Do youself a favou, go
egonomic /befoe/ it stats to hut, take it fom me tht's too lte. But t
lest I still /have/ hnds, I know thee ae people wose off...
If Ptey is about t the moment then with his polific poduction I won't
be supised if he's wecked a few keybods s well. I hope his wists
are ll ight.
Btw, I stongly ecommend tht you eplace you keyboad as soon as it
stats to misbehve - continuing to westle with the ecalcitant intefce
will seiously add to the stess on your hnds and wists. Idelly, test-
dive the eplacement befoe you hnd ove you csh. I hve a Mic*osoft
Natu*al keyboad here which is about as good as I cn get - the
touble is I should hve been using it fo the last ten yeas - and,
of couse, I'm only petending: thee isn't eally anything
wrrrrrrrrrrrrrrrongrrrrrwithrrrrit :-) (Well, not et, anwa...)
Ahem. As for passwords, SCO UNIX theoretically lets no one,
even administrator, find out what the password was, except by
presenting the password, or by a serious cracking attempt. But
the admin can do the set-it thing and the must-change-next-time
thing. I was intrigued that a password couldn't be set to "moscow"
- part of the ban on export to Soviet Bloc countries? (I met UNIX in
1991, 2?) - but then I figured it out...
>To find out, tune in next week. Same Bat-time, same Bat-channel!
>
>(uh-oh, thin watches approaching... <ahem>)
>
>--
>AFP Code 2.0: AC$/>M-UK d@(--) s:+>- a- UP+ R+++ F++ h- P3x=
>OSD+:-- ?C M--
>L pp--- I->** W+ c@ B+ Cn::::+ CC- PT+>+++ Pu* 5+>++ X-- MT++
>eV+(++-) r*
>y+ end
>
>
Robert Carnegie at home, rja.ca...@excite.com at large
--
"Christopher Benjamin: Stirling. On Broadway he played Dogberry in
'Much Ado'. His Bottom has been seen in Regent's Park."
- Cast note in theatre programme for _The Clandestine Marriage_