[p2p-hackers] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

Justin justin-cypherpunks at soze.net
Tue Mar 28 09:07:10 PST 2006

On 2006-03-27T14:04:55-0800, coderman wrote:
> On 3/27/06, Michael J Freedman <mfreed at cs.nyu.edu> wrote:
> > As a solution developed precisely for this problem, you should check out
> > the pwdhash extension for browsers:
> >
> >    http://crypto.stanford.edu/PwdHash/
> i'd still be concerned about dictionary attacks on poor passwords
> (that is, discovering '.848fe29s44j' is the hash for pwned.com and
> 'secret'.)  secure digests make this more expensive but not by much.
> * are you aware of any utility for the browser that generates random
> passwords?

Two that are in app-admin/ under gentoo are pwgen and ranpwd.  pwgen is
neat.  It prints out a bunch of passwords and you pick one, so that
shoulder surfing doesn't work (unless it's with a camera).

It also has an option to generate a password given a seed value (which
could be your basic password you might use for PwdHash) and an input
file, using sha-1.

I recall a similar program that printed out skey-style many-word
passwords.  I wish I could remember what it was called.  I like those
kinds of passwords.

I don't understand why some people are fixated on 8-character passwords,
and why they insist on using every character on the keyboard.  Compare
[:alnum:]{8} -- 47.6 bits of entropy with :alnum: plus punctuation --
52.5 bits.

What kind of threat model might there be where the former is
unacceptable while the latter is sufficient?  Both provide more than
enough security against a casual snoop, particularly when authentication
methods go through processes that implement wrong-password delays and/or
eventual lock-outs, and when the risk of another attack that provides
access to the password file for an offline brute-force attack is
minimal.  Neither 47 nor 52 bits is nearly enough security to resist
serious attacks by serious people with lots of hardware, TLAs, etc.

The six phases of a project:
I. Enthusiasm.         IV. Search for the Guilty.
II. Disillusionment.   V. Punishment of the Innocent.
III. Panic.            VI. Praise & Honor for the Nonparticipants.

More information about the Testlist mailing list