[Novalug] linux update security?

Joel Fouse joel at fouse.net
Tue Jan 15 11:28:10 EST 2008 

As to the multiple password (or re-using passwords) issue, I've found
PasswordSafe (and its Linux complement, PasswordGorilla) to be helpful.

http://passwordsafe.sourceforge.net/

Started by Bruce Schneier and open sourced, it's become quite the handy
tool for storing and organizing numerous passwords, and generating
random ones according to a policy you define, if needed.  I use this
both for random websites that want a login just to look at a friend's
latest roll of film to keeping track of numerous enterprise-related
credentials (this app needs to get to that db, corporate account with
vendor's site, etc.), though usually in separate pwsafe db files. ;)

- Joel


On Tue, 2008-01-15 at 07:07 -0500, Anthony Soucek wrote:

> Nino,
> 
> I agree that users memories are the most insecure part.  I am
> concerned however about re-using passwords.  Or using the same
> password on multiple sites.  If you forget which password or the
> password, sometimes it will be emailed to you, possibly in clear text.
>  Also if it is in your mailbox, it could be gotten from the isp by
> court order.  Some recommend using a formula for password generation
> that includes the name of the site in the formula.  I am concerned
> that if a bad guy gets hold of multiple passwords they will quickly
> crack the  formula and be able to predict the passwords for other
> sites.  I wonder if OpenID will be able to help close this
> vulnerability.
> 
> On Jan 14, 2008 10:09 PM, Nino Pereira <pereira at speakeasy.net> wrote:
> > Clayton,
> >
> > interesting stuff, this security business. But, please note
> > that I only reacted to the question: how large is 2^128?,
> > and, how do you get a feel for how much this is? So, instead
> > of doing it exactly, as Don did, I just picked a number that's
> > reasonably close and then ran with it.
> >
> > Your points, and the ones in the web sites you mention, are
> > well-taken: there is indeed a lot of activity in trying to
> > factor large numbers, in designing random number generators,
> > and related things. Still, it seems to me that MD5 is fine
> > for run of the mill checking of whether files down-loaded
> > properly, which is what it's used for a lot.
> >
> > Perfect security, of course doesn't exist, and the weakest
> > link is not in technology but in humans. As an example,
> > I think the worst practice is to force people to have
> > complicated passwords that they can not possibly remember
> > (my most recent one demanded 2 CAPITALS, 2 lower case, 2 numbers,
> > and 2 weird symbols (&,#, etc), with 10 in total).
> > So, I wrote it down, and I'll keep it at the machine where I need it.
> > Is it secure? no, not at all.
> >
> > Much more secure are my standard passwords. I have a few,
> > each for its own purpose. I don't write these down, and they
> > are secure enough: no one will guess the first two
> > (they are nonsense-words, were made back in the early '80s,
> > by a program that made good passwords), or the last one (which
> > does have some of the characteristics mentioned, but not all).
> >
> > Clayton Graham wrote:
> >
> > > Paper explaining a fast collision attack
> > > <http://eprint.iacr.org/2004/199.pdf>
> > > wikipedia entry for MD5 <http://en.wikipedia.org/wiki/MD5>
> > > Project RainbowCrack - software implementing a fast attack against MD5
> > > et. al. <http://www.antsight.com/zsl/rainbowcrack/>
> >
> > _______________________________________________
> > Novalug mailing list
> > Novalug at calypso.tux.org
> > http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
> >
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://calypso.tux.org/pipermail/novalug/attachments/20080115/edb7dee5/attachment.html

More information about the Novalug mailing list