[Novalug] linux update security?
joel at fouse.net
Tue Jan 15 11:28:10 EST 2008
As to the multiple password (or re-using passwords) issue, I've found
PasswordSafe (and its Linux complement, PasswordGorilla) to be helpful.
Started by Bruce Schneier and open sourced, it's become quite the handy
tool for storing and organizing numerous passwords, and generating
random ones according to a policy you define, if needed. I use this
both for random websites that want a login just to look at a friend's
latest roll of film to keeping track of numerous enterprise-related
credentials (this app needs to get to that db, corporate account with
vendor's site, etc.), though usually in separate pwsafe db files. ;)
On Tue, 2008-01-15 at 07:07 -0500, Anthony Soucek wrote:
> I agree that users memories are the most insecure part. I am
> concerned however about re-using passwords. Or using the same
> password on multiple sites. If you forget which password or the
> password, sometimes it will be emailed to you, possibly in clear text.
> Also if it is in your mailbox, it could be gotten from the isp by
> court order. Some recommend using a formula for password generation
> that includes the name of the site in the formula. I am concerned
> that if a bad guy gets hold of multiple passwords they will quickly
> crack the formula and be able to predict the passwords for other
> sites. I wonder if OpenID will be able to help close this
> On Jan 14, 2008 10:09 PM, Nino Pereira <pereira at speakeasy.net> wrote:
> > Clayton,
> > interesting stuff, this security business. But, please note
> > that I only reacted to the question: how large is 2^128?,
> > and, how do you get a feel for how much this is? So, instead
> > of doing it exactly, as Don did, I just picked a number that's
> > reasonably close and then ran with it.
> > Your points, and the ones in the web sites you mention, are
> > well-taken: there is indeed a lot of activity in trying to
> > factor large numbers, in designing random number generators,
> > and related things. Still, it seems to me that MD5 is fine
> > for run of the mill checking of whether files down-loaded
> > properly, which is what it's used for a lot.
> > Perfect security, of course doesn't exist, and the weakest
> > link is not in technology but in humans. As an example,
> > I think the worst practice is to force people to have
> > complicated passwords that they can not possibly remember
> > (my most recent one demanded 2 CAPITALS, 2 lower case, 2 numbers,
> > and 2 weird symbols (&,#, etc), with 10 in total).
> > So, I wrote it down, and I'll keep it at the machine where I need it.
> > Is it secure? no, not at all.
> > Much more secure are my standard passwords. I have a few,
> > each for its own purpose. I don't write these down, and they
> > are secure enough: no one will guess the first two
> > (they are nonsense-words, were made back in the early '80s,
> > by a program that made good passwords), or the last one (which
> > does have some of the characteristics mentioned, but not all).
> > Clayton Graham wrote:
> > > Paper explaining a fast collision attack
> > > <http://eprint.iacr.org/2004/199.pdf>
> > > wikipedia entry for MD5 <http://en.wikipedia.org/wiki/MD5>
> > > Project RainbowCrack - software implementing a fast attack against MD5
> > > et. al. <http://www.antsight.com/zsl/rainbowcrack/>
> > _______________________________________________
> > Novalug mailing list
> > Novalug at calypso.tux.org
> > http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Novalug