[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Password scoring application wanted



> > And extra points if it prevents use of passwords too close to the
> > previous password(s),
> 
> Doesn't that require keeping a copy of the password in a form
> that can be decrypted?

Or, at least, compared against with some sort of "nearness" comparison,
which is really hard to do with one-way encryption.

Excellent point!

> That seems much more dangerous than
> the chance of the next one being somewhat similar.

Yes, storing passwords on a computer is dangerous.

Of course, not storing them on any computer makes it very hard to use
them.

> > Why does the concept bug me? Why do I think that if it's machine
> > generated and easy to memorize it's going to be easy to brute force?
> 
> If computers can't do things better than you would yourself, why
> are we bothering to use them?

Excellent point!!!

(Sorry, I got carried away there.)

> > Anyway, helping the user at least set a password other than the typical
> > "password" sort of password will be sort of an improvement, at least for
> > a little while.
> 
> It's hard to reconcile this comment with the previous one that
> implied that the user would do a better job than pwgen...

I agree.

Self-spreading and social-engineering malware reveals the evil in the
666 permissions Microsoft has about the internet, but it's really hard
to argue that securing things is anything but a temporary fix.

Almost a year ago, I wrote a little half-baked rant on my personal site
about how the manufacturers of personal computer OSses should help the
user set up his or her password. But it's just a band-aid. Unfortunately,
computers being what they are, and people being what they are, I don't
see anything else to do, other than change the bandaids.

Anyway, for now, helping the user set better passwords seems like a good
idea. Pretty soon the black hats are going to analyse the algorithms
used by those user-helper mini-apps and be able to guess about half of
the passwords generated.

Physical tokens can be broken the way locks can, so the people who
advocate those (and keychains!) are not really advocating anything with
any permanent security.

Security is an illusion. But failing to be secure is not an answer.

I guess I need to add a little bit to my pages, for the next level.

--
Joel Rees   <rees ddcom co jp>
digitcom, inc.   株式会社デジコム
Kobe, Japan   +81-78-672-8800
** <http://www.ddcom.co.jp> **


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]