Bob Casanova
8/24/2010 5:47:00 PM
On Mon, 23 Aug 2010 18:04:30 -0400, the following appeared
in sci.skeptic, posted by Mr.B1ack <bw@barrk.net>:
>Bob Casanova <nospam@buzz.off> wrote:
>
>>On Mon, 23 Aug 2010 09:03:22 -0400, the following appeared
>>in sci.skeptic, posted by Mr.B1ack <bw@barrk.net>:
>>
>>>CNN reports that a team from a university in Georgia (usa)
>>>built a supercomputer out of PC graphics cards - which can
>>>do certain kinds of math really, really, fast. Their aim
>>>was to see how quickly passwords could be guessed.
>>>
>>>Their recommendation is that passwords be 12 characters
>>>long. Seems all 11-character passwords could be generated
>>>in 180 years using their setup, whereas 12-characters
>>>ballooned the guessing out to over 17,000 years.
>>>
>>>OK folks ... there's a MUCH better solution for both
>>>personal and corporate/govt systems. Limit how many
>>>bad passwords can be entered before there's an
>>>enforced time delay (or enforce a time delay after
>>>every password entry).
>>>
>>>Remote-access tools like the SSHD (secure shell daemon)
>>>ubiquitous to unix/linix servers have this option readily
>>>availible in the configuration file ... it need only be
>>>turned on. You can also limit how many instances of
>>>the daemon can be run concurrently - with a fair level
>>>of fine control. Unix/linux user accounts often have
>>>the same kind of bad-guess tools. Get it wrong three
>>>times or whatever and you're bumped off the system
>>>for a certain period.
>>>
>>>This would be dead easy to incorporate into even
>>>Winders-based servers and PCs.
>>>
>>>Even a ten or thirty SECOND delay after a few bad
>>>passwords would totally frustrate any sort of
>>>'guessing' attack. A five or six ASCII character
>>>password would take like forever to hit if you
>>>could only try three at a time and then had to
>>>wait awhile. Guessers would be better off trying
>>>"likely" passwords instead - and even then ...
>>>
>>>SO ... why the hell isn't this guess-rate-limiting
>>>scheme standard - and active by default - on ALL
>>>modern operating systems and server software ???
>>>Web servers, e-mail servers, whatever ... they
>>>ALL ought to be "guess-proofed". Not a hard
>>>patch by any means, a few lines of code. Add
>>>just a little extra IQ - check MAC addresses
>>>or attempted logins from any particualr domain -
>>>with just a couple dozen extra lines of code.
>>>
>>>EZ.
>>>
>>>So ... DO it already !
>>
>>Those are good ideas (and personally I additionally prefer
>>case-sensitive 20-character passwords that allow all ASCII
>>characters),
>
> The "problem" is pretty much all server-side,
> default settings that just let anybody shoot
> in millions of passwords as fast as their net
> connection permits.
Several of my more sensitive connections have both timeout
and multiple-try limits. But not all.
> For the most part it could
> literally be fixed in MINUTES. If a bank or
> other online biz loses your info due to this
> sort of attack, it's professional malpractice,
> incompetence - NOT because your password wasn't
> page 297 of War and Peace - and big lawsuits
> are in order.
Sure; that's why I said I agreed. But long random passwords
also help.
>>but what has this to do with s.s?
>
> It's scientific, but I'm skeptical. There's
> a lot of BS in computer security nowadays -
> much of it designed to scare people into
> parting with their money, privacy, convenience,
> or all three.
>
> Or has s.s. become all about Bigfoot
> and ghosts ?
From its inception s.s was intended to be about claims of
the paranormal. Lately (well, for quite a while) religion,
UFO whackos and general science denial have unfortunately
taken over most of it.
--
Bob C.
"Evidence confirming an observation is
evidence that the observation is wrong."
- McNameless