Domain: nursat.kz
Stories and comments across the archive that link to nursat.kz.
Comments · 15
-
Re:UNIX/Linux password generation.
Just install apg. Should be in the repositories of most distros.
-
apg can help
http://www.adel.nursat.kz/apg/Automated Password Generator can generate very nice, pronouncable, but still pretty secure passwords. Add a few punctuation characters, and you have a strong password that is fairly easy to remember.
An example of the output:
me@host:~$ apg
Please enter some random data (only first 8 are significant)
(eg. your old password):>
Bachmebjij8 (Bach-meb-jij-EIGHT)
7Knipwoi (SEVEN-Knip-woi)
gruemUnrod2 (gruem-Un-rod-TWO)
MaHiopt1 (Ma-Hi-opt-ONE)
RidHynEbr8Or (Rid-Hyn-Ebr-EIGHT-Or)
AfnoHoorfid9 (Af-no-Hoorf-id-NINE) -
Re:Howto create good password thats easy remembere
Not such a great password, really, since it's subject to a trivial dictionary attack.
I think it's safe to assume that most people don't have a "favorite poem", and most "favorite songs" likely come from a rather limited set -- let's say about 5,000 songs, which is probably excessive. You then have two options per song (refrain or first verse) and two styles (normal and "l33t speak"). That's only 20,000 additional possibilities on top of the normal password dictionaries, compared to the 56.8e+9 available six-character random alphanumeric passwords.
My recommendation is to avoid allowing any human input to bias the selection process. Instead, use a tool like APG to generate pronounceable, and thus memorable, random passwords, and simply assign them to each user.
-
Several flaws immediately come to mind
The image associations are not only unique to the user, they're also "hard to forget," the researchers said. "After typing her password several times, a user develops 'muscle memory' and can log in quickly without referring to the inkblot images," they said.
No shit. Type any password enough times your fingers learn where the keys are, even if you're not consciously thinking about what you're typing.
So their aim is to have you look at the inkblots, work out your passwords, type the password until your fingers get it, and then you don't have to look at the inkblots any more No numbers, no mix of uppercase and lowercase, and no punctuation. Doesn't sound particularly
Running APG over a web interface and getting pronouncable, strong passwords which will develop into muscle memory just as easily sounds like a much better solution.
Not to mention the the whole "oh btw, we're storing your associations" bit. It should be painfully obvious that when it comes to security, Microsoft simply doesn't "get it". -
APG
I have found that using APG is a great way to generate passwords. They are easy to remember since you can pronounce them. For example, I just ran the generation and these are the passwords that popped out. I have found that most users can remember these kinds of passwords.
lewcyHirUx6 (lew-cy-Hir-Ux-SIX)
drywaWrop2 (dry-wa-Wrop-TWO)
ScekGul4 (Scek-Gul-FOUR)
lacWaup7 (lac-Waup-SEVEN)
IphIaft3 (Iph-Iaft-THREE)
glidTevPos8 (glid-Tev-Pos-EIGHT) -
Re:Not that much of a problem!One quote springs to mind: "If you entrench yourself behind strong fortifications, you compel the enemy seek a solution elsewhere." -- Karl von Clausewitz
Now that the haughty quote has been delivered, I have the attorney's attention. Aside from everybody writing down their login password somewhere and subverting your agressive security, there's probably some other vulnerability in your network that could prove to make a daily password rotation useless.
And it's very stressful for people to change their passwords every day, especially if you're using advanced rules (mandating at least X of the 4 character categories, minimum length, not the same as previously used, etc.). My suggestion is to have everybody install apg so they don't have to waste 30 minutes every day thinking of a password that your Novell eDirectory will allow for usage. Biweekly or weekly is more than frequent enough. Daily is insane.
-
The password for the passwords
I use Another Password Generator for all my passwords. http://www.adel.nursat.kz/apg/
As a general security measure, I use different passwords for all the Internet services I use. I simply do not trust the random forum and service owners I use enough; not because I distrust any concrete service like say Slashdot, but because it only takes one dishonest service owner to look up my password in order to have them all if I were to use the same one everywhere. Instead, I have a very long, huge text-file with all my password which is stored on my bestcrypt http://www.jetico.com/ partition. The system works great for me. Alright, I have to look up the service and password every time, but as I always have that file open in kate since I use it frequently it is not a big deal. This works fine for me and I recommend it. This way I only have to remember the actual sentence I use as a password for my bestcrypt drive, and nobody can use the password on one service to guess my password on another since they are all random garbage like we4kBoc3fis...
So I think that a "a master password" IS the solution. Every employee can easily have their own personal master password where they keep a record of all their passwords, and this allows every employee to have a random password that only works for them assigned for each service they use. -
I write down all my passwords...
.. in one now very huge text-file. The text-file is encrypted with a long master passwords which I hope I will never forget, because if I do, I am screwed. I use Another Password Generator http://www.adel.nursat.kz/apg/ to make random passwords for every new service I encounter, so no two services have the same password.. and they all look like tajEbAmAb or something. The way I do it limits me to using a lot of services from home, but it does give me good security and allows me to only remember that one password for the text-file.
-
Easy-to-remember and strong passwords
-
Automated password generator
I use APG (http://www.adel.nursat.kz/apg/) to generate passwords that are fairly strong and easy to remember. You can decide for pronouncability (weaker) or more random characters (stronger) by command line switches. I highly recommend it.
-
Re:It's simple - use WAP-PSK
Well it does seem my attempt to karma whore failed.
It was meant as a joke but no +5 Funny :(
The text is a quote I stole from a /. sig or something "There are four sides to every story: Your side their side the truth and what really happened" as for the numbers, just a collection of random IP address from back in the day.
Thanks for the comments; I might just look into an APG (http://www.adel.nursat.kz/apg/) password replacement. -
Re:Consonant-Vowel Method
joelhayhurst uses gibberish from APG, so transforming that to l33t-speak can't be harmful unless it removes information.
-
Alternative to memnonics -- pronounceables
I occasionally like memnonic passwords, but another good alternative is a randomly-generated but pronounceable password. It turns out that we're much better at remembering passwords that we can pronounce. (Where "Voolakun5" is pronounceable and "zqx17yvy" is not).
FIPS-181 describes a NIST-endorsed system for producing pronounceable passwords. There is a GPLed FIPS-181 implementation here.
Sample run:
$ apg
dyijenuloa
bifliecar
yishjied&
IfHydrovia
yutsOlg/
DipUkcat
APG is a lot more sophisticated than this, and allows you to do a lot of tweaking of the types of passwords it outputs, print pronunciation guides. It's a good tool, IMHO, for security-conscious types to have around.
For Fedora Core 2 users, Red Hat does not package apg in the base distribution, but it is available from freshrpms. -
Re:Consonant-Vowel Method
There is also a unix utility called APG (Automated Password Generator) which will create pronounceable gibbrish passwords to your specifications. I usually use that, find one I like, then replace a few letters with l33t-speak numbers (to think, it has a use...).
-
Re:so.. how are we supposed to store passwords?
Y'know, you don't necessarily need to put together a password full of random noise to have something secure. Sometimes, something algorythmically determined to come up with a 'sounding' word without actually using a dictionary (with the occasional number or special character) can work very effectively, yet allow a user to remember the password (cutting down on post-it note insecurities).
One such program that does this sort of thing is agp, available at http://www.adel.nursat.kz/apg.
You'd be surprised the sort of research that goes into coming up with something like this, too. Not just the program, but the specifications for what makes a safe kind of password (y'know, taking into account stuff like the likelihood of someone writing the text down somewhere, or choosing a lame password, or whatever).