| gabriel rosenkoetter on Wed, 5 Sep 2001 17:20:10 +0200 |
|
On Tue, Sep 04, 2001 at 01:42:43PM -0400, Dave Turner wrote:
> It's also trivial to do this - just load up an array of 17576 1s and 0s.
Why don't you do that and get back to me with some time trials?
Changing a password needs to take less than a minute. Which, imho,
is the real reason not to do this partial word checking. (The issue
here is *not* how long the processing takes, but how long the disk
access takes.)
At any rate, if we're just going to be ranting about security,
passwords should never be accepted for remote login to begin with.
They should, rather, only be allowed on known-secure terminals. We
know, and have known for quite a while, that password authentication
is inherently flawed, as it relies on one token with must traverse
the data stream. Private/public key authentication isn't perfect,
nor is Kerberos, nor are single-use password systems like S/Key,
but they're all better regular passwords.
If you really feel like getting paranoid, how many other people's
computers have you used to connect to your machines? Did you even
consider key-grabbers? TCP hijacking? How 'bout using your laptop in
public places? Van Eck phreaking does work, ya know...
I guess my point is that it's a little piddling to be whinging about
a pretty minor policy issue in a system where there are more
important (and scarier) failings.
> What about email systems, etc. Someone (forget who) reported very strict
> limits on passwords based on single signon systems which had to interoperate
> with legacy email, file server, etc systems.
Special cases make pretty poor support for a generalized "checking
for word fragments reduces security" statement. And you sure have a
lot of unplaceable hearsay as backup here.
Since you're using Linux's /usr/dict/words, I figured it was a
pretty safe assumption you were dealing with Linux.
In any OS with an 8bit clean set of characters, what I said goes.
I'm not too sure what you mean to imply by "legacy email, file
server, etc systems", but I really can't think of anything newer (in
design, not necessarily in manufacture) than a PDP-11 (which,
admittedly, are still in use) which has this kind of limitation.
Even so, these kinds of machines are not in *general* use, but are
kept around for some specific application which has not yet been
ported to a newer operating system. They're almost definitely NOT
the place where a crazy sophisticated password checker would live.
> Sorry to moderators for making you manually approve this, I am too busy right
> now to fix my broken email system (and anyway, yours is broken because it
> looks at Sender rather than From)
Give me a break. The reason that is the way it is is precisely so
unsubscribed parties can't post on the list. This is a totally
reasonable policy on this kind of private organization list.
--
~ g r @ eclipsed.net
Attachment:
pgpCo7X0GDUhA.pgp
|
|