Log in

No account? Create an account
IBNeko's Journal-Nyo~!
Your Password SUCKS!

Your password sucks!
We've just done a code push, which includes the new function we've been cheerfully calling the "your password sucks" module. This provides an update to our sucky-password-checking module, and an option (currently disabled) that will force anyone with a password that sucks to change that password before they can do anything else on the site. And I do mean anything.


I still need to change passwords for a large majority of sites I use. Still, mine is not brute-forceable (eh, meaning you can'd take a dictionary, and try word by word.) And all of my passwords are generated based on random keyboard pounding, then rotated into a more comfortable string to type. With numbers. I should also add punctuation, for those sites and places that accept it... Sadly, I tend to reuse several password for everything over one time period, although always combined with modifications based on various things. This is a Bad thing.

A better password scheme would be to let the server pick several random number, then you have to respond with the correct numbers in response, based off an equation or something of your choosing. Although this massively slows down things, and people aren't good at adding sometimes... nevermind, that wouldn't work. We're not computers. Maybe some sort of smartcard..... enter the numbers on that, and it'll give you the numbers to enter back.. but the smartcard can be stolen. Hmm. Add a fingerprint based calculation to that. Yeeeah. Something like that. So Computer-generated Challenge -> smartcard's internal equation * fingerprint -> Smartcard response

Tags: ,

4 happy kittens | Leave catnip
jaiwithani From: jaiwithani Date: October 20th, 2005 05:45 pm (UTC) (Link)
Hardware requirements=not gonna catch on, except perhaps at ATMs and other vendor-controlled hardware. You can;t expect everyone who wants to access legitsite.gov to buy a new $30 piece of hardware just to log in, methinks.

If a cracker gets to the point where brute-forcing is an option, the system is already compromised. Which is why I think password-security is overhyped. Aside from "God", "password", $username, 0123456789 and a few other favorites, most passwords are sufficient as long as they're kept secret. Everyone is much more vulnerable to key-logging, leaving private information on a public terminal, roommate-peeking, and phishing than to brute forcing.

That said, passphrases are my preferred method of secure-password generation. For example,

This passphrase is well-nigh impossible to brute force.

Is a totally secure passphrase. Under current attack searchspace algorithms, it's virtually uncrackable. If passphrases become more popular, the old brute-force algorithms and pre-computations can be adapted to attack them, they won't hold up quite as long, but even then they're pretty strong.
ibneko From: ibneko Date: October 20th, 2005 08:33 pm (UTC) (Link)

Oh, don't forget "trust" and "trustme".

Mmmm, yeah. The only problem is, many places doesn't accept " " characters in passwords, as well as many other things. And length is limited. Quite stupid, really, but hey, what can you do.
shanrina From: shanrina Date: October 20th, 2005 06:43 pm (UTC) (Link)
Wait...am I sleep-deprived, or does the link say that eventually they're going to get to a point where they _will_ make us change our password or else we won't be able to do anything? That's stupid...my LJ password _is_ unguessable, and I don't appreciate having to conform to other people's rules for my own passwords. But then I have a terrible memory, and I really hate trying to remember other people's rules for passwords.
backdrifter_ From: backdrifter_ Date: October 21st, 2005 08:39 am (UTC) (Link)
lol @ the 'password sucks' bit!
4 happy kittens | Leave catnip