On Feb 6, 2008 8:46 AM, Mike Miller <mbmiller at taxa.epi.umn.edu> wrote:

> On Wed, 6 Feb 2008, Andy Schmid wrote:
>
> > On Feb 5, 2008 5:11 PM, Mike Miller <mbmiller at taxa.epi.umn.edu> wrote:
> >
> >> Thanks, Dave.  Very interesting.  How about:  A random string is the
> >> hardest password to guess.
> >
> >
> > I disagree.  There is the chance (albeit very slim to none) that a
> > random string can produce a password such as '1234', which can be easily
> > cracked.
>
> I thought about that too, but the thing is, if the wouldbe cracker knows
> that it is a random string (and he would know if that was the design of
> the system), there will be no benefit to his guessing first things like
> "1234," but if he knows that you have disallowed things like "1234", then
> you have helped him by cutting back on the number of things he must guess.
>
> So when using random strings you would *not* want to have rules like "must
> include both upper case lower case letters, digits and non-alphanumeric
> characters," because that rule would help a brute-force attacker.
>
> Mike
>

This is a good point.  But most brute force attacks are done using common
passwords across many hosts (typically from worms).  If you have constraints
put in place that are wide enough, the number of password permutations is
still astronomical, with the chance of weak passwords being produced
eliminated.  Though, its a good idea all around to disable login access for
the root account, as well as any other accounts you do not want logging in.

Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20080206/9b7d48b7/attachment.htm