[WEB SECURITY] suggesting passwords to users
James Landis
jcl24 at cornell.edu
Mon Apr 30 16:20:18 EDT 2007
We're not just worried about "smart dictionary attacks", but also any
attack that is targeted at the specific algorithm used to generate
passwords. Without getting too heavy into theory, the basic goal is to
try to estimate whether the passwords created by the algorithm are
more or less susceptible to a targeted brute force attack than a
typical user-space password. The actual tradeoff between an
easily-remembered password and a complex password that has to be
written down is hard to measure.
This is all assuming there is no brute-force-prevention mechanism, of course.
-j
On 4/30/07, Anurag Agarwal <a_agrawwal at yahoo.com> wrote:
>
>
> If a system is generating password like "swiss napkin", etc which is easier
> to remember then the only thing which comes to my mind is that it may also
> be prone to smart dictionary attacks. Maybe i am wrong but i would like to
> hear others thoughts on this
>
>
>
> Cheers,
>
>
>
> Anurag Agarwal
>
>
>
> SEEC - An application security search engine
>
> Web: www.attacklabs.com , www.myappsecurity.com
>
> Email : anurag.agarwal at yahoo.com
>
> Blog : http://myappsecurity.blogspot.com
>
>
>
>
>
>
> ----- Original Message ----
> From: Brian Eaton <eaton.lists at gmail.com>
> To: Web Security <websecurity at webappsec.org>
> Sent: Monday, April 30, 2007 10:41:51 AM
> Subject: [WEB SECURITY] suggesting passwords to users
>
>
> I just changed a password on a *nix system and encountered a message I
> hadn't seen before. The machine gave me all of the standard
> recommendations about choosing passwords, such as password length (at
> least eight characters) and character classes (upper case, lower case,
> symbols, numbers, etc...). Following all of that advice, the passwd
> program displayed the message:
>
> Alternatively, if noone else can see your terminal now, you can pick
> this as your password: "Swiss-napkin;storm".
>
> This struck me as being both good for security and user-friendly.
> This is user friendly because:
> - end users no longer have to struggle to find a password that meets
> all of the password requirements on the system.
> - the password is relatively easy to remember (less risk of being
> locked out by accident)
>
> This is good for security because:
> - the suggested password can be randomly generated.
> - the password is relatively easy to remember, reducing the risk of
> the password being written down on a sticky note.
> - user's aren't choosing passwords based on personal information an
> attacker might obtain, such as pet names or birthdays.
>
> There is a trade-off being made: you run the risk of a shoulder-surfer
> observing the password. That trade-off seems pretty reasonable to me.
> I'd be more concerned about the sticky-note problem than the
> shoulder-surfer problem.
>
> But I may be missing some of the risks created by this system, perhaps
> this isn't such a clever idea. Is this a good system for web based
> applications to use? When presenting a password change form, should
> web apps suggest a randomly generated password?
>
> Regards,
> Brian
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list