OT: Passwords

"Joe" <[email protected]> wrote in message
news:[email protected]...
>
> "Stuart" <[email protected]> wrote in message
> news:[email protected]...
>> In article
>> <0eece06c-8752-4417-838d-5b0bda8764b7@k17g2000yqh.googlegroups.com>,
>> Robatoy <[email protected]> wrote:
>>> I also don't have the right address entered as 'Home' into any of our
>>> GPS's.
>>
>> Follow my GPS home and you'll find yourself inside the compound at our
>> local police station!
>>
>
> *Good* Idea! I love it. Mine is blank, but I like your idea much better.
>
> Jc


Being a retired fire chief, I used the nearest fire station.

Max

[email protected] wrote in news:208il59musrj5tqe57bim3unth16ghd4qt@
4ax.com:

> How about W1LL R0ger5, or J0nn1e M00re, or D@v1d , or some other
> combination that "spells" the name.
>
> Another good one is using the first letters of the words of a phrase,
> song first line, or poem, again using 1 for i, 0 for o, etc when
> possible.
> tebgtw (the early bird gets the worm), or h0tr (home on the range) or
> wg2s02ls (we get too soon old too late smart)
>
> Easy enough for YOU to remember, but awfull hard to crack.
>

Someone suggested a simple algorithm: Pick a letter and a direction. Go
for a short distance then change directions. So if you pick S right, you
get passwords like sdfgr45, 4RFde3 etc

Random enough to satisfy most programs, but simple to remember (unless you
switch keyboard layouts lol).

Puckdropper

On Jan 21, 5:40=A0pm, Swingman <[email protected]> wrote:
> On 1/21/2010 4:26 PM, Robatoy wrote:
>
> > =A0From some damn site or another:
>
> > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
>
> > Most of us routinely use passwords so simple, a monkey could figure
> > them out. In fact, =93monkey=94 is one of our favourites.
>
> > A password like mine: HHffrT56 is much harder to figure out and will
> > remain a secret forever.
>
> <g> ...
>
> Thanks to Leon I now use Roboform to generate a password for every site
> and account ... for some reason I have in excessive of 104 passworded
> accounts ... damn thing breed like rabbets. ;)
>
> Easy to change the key ones every month or so and only have to remember
> one ... also good protection against keyloggers.
>
> --www.e-woodshop.net
> Last update: 10/22/08
> KarlC@ (the obvious)

There are several things that never have, nor will ever be entered
into my keyboard. SIN being one of them.
I also don't have the right address entered as 'Home' into any of our
GPS's.
I mean... how stupid is that? A key-fob with the car's make and
ability to open its doors, then directions to your house from your GPS
and keys to get into the house. When you lose your keys, you might as
well give the perp a ride over and help him carry your shiat out to
your car and wave goodbye to him. There also isn't a listing for
'Home' on my phone.
The pub owner knows where I live... who else needs to know? <G> I'm
one of his bigger shareholders, he'll take good care of me.

On Thu, 21 Jan 2010 14:26:54 -0800 (PST), Robatoy
<[email protected]> wrote:

>From some damn site or another:
>
>===============================
>
>Most of us routinely use passwords so simple, a monkey could figure
>them out. In fact, “monkey” is one of our favourites.
>
>Amichai Shulman is the chief technology officer at Imperva, which
>makes software for thwarting hackers. Recently, he undertook a study
>of 32 million passwords stolen by an unknown hacker from Rockyou!, an
>online service that makes widgets for social networking sites like
>Facebook.
>
>The list is depressing testimony to our collective lack of creativity
>in the arena of personal security.
>
>“I guess it’s just a flaw in human genetics,” Shulman told the New
>York Times.
>
>Bottom line, if your password is your first name and your secret first
>name isn’t NEhBuT3W4l.6, better think about making a switch.
>
>Here they are, listed 1 through 32, in order of popularity:
>
>1. 123456
>
>2. 12345
>
>3. 123456789
>
>4. password
>
>5. iloveyou
>
>6. princess
>
>7. rockyou
>
>8. 1234567
>
>9. 12345678
>
>10. abc123
>
>11. nicole
>
>12. daniel
>
>13. babygirl
>
>14. monkey
>
>15. jessica
>
>16. lovely
>
>17. michael
>
>18. ashley
>
>19. 654321
>
>20. qwerty
>
>21. iloveu
>
>22. michelle
>
>23. 111111
>
>24. 0
>
>25. tigger
>
>26. password1
>
>27. sunshine
>
>28. chocolate
>
>29. anthony
>
>30. angel
>
>31. FRIENDS (yes, all caps)
>
>32. soccer
>
>===================================
>
>A password like mine: HHffrT56 is much harder to figure out and will
>remain a secret forever.

How about W1LL R0ger5, or J0nn1e M00re, or D@v1d , or some other
combination that "spells" the name.

Another good one is using the first letters of the words of a phrase,
song first line, or poem, again using 1 for i, 0 for o, etc when
possible.
tebgtw (the early bird gets the worm), or h0tr (home on the range) or
wg2s02ls (we get too soon old too late smart)

Easy enough for YOU to remember, but awfull hard to crack.

"Stuart" <[email protected]> wrote in message
news:[email protected]...
> In article
> <0eece06c-8752-4417-838d-5b0bda8764b7@k17g2000yqh.googlegroups.com>,
> Robatoy <[email protected]> wrote:
>> I also don't have the right address entered as 'Home' into any of our
>> GPS's.
>
> Follow my GPS home and you'll find yourself inside the compound at our
> local police station!
>

*Good* Idea! I love it. Mine is blank, but I like your idea much better.

Jc

In article
<0eece06c-8752-4417-838d-5b0bda8764b7@k17g2000yqh.googlegroups.com>,
Robatoy <[email protected]> wrote:
> I also don't have the right address entered as 'Home' into any of our
> GPS's.

Follow my GPS home and you'll find yourself inside the compound at our
local police station!

In article <[email protected]>,
Larry Blanchard <[email protected]> wrote:
> Some ISPs allow special characters. They can make an otherwise simple
> password a lot more complex.

I recall one place I was signing up for something where they would only
allow alpha characters for your password. I was mightily annoyed.

"Jeff Gorman" <[email protected]> wrote in message
news:[email protected]...
>

The deal is if you require passwords that are to easy they can be hacked
easily. If you require complex passwords the easiest way to get into a
system is to look for the sticky note with the passwords on it. To prove
that point at a investment company I was consulting at, the head of network
security went around after hours and took all of the sticky notes of of the
monitors. Most people could not login to the systems the next morning until
they saw him.

What I learned is to use a sentence or a saying and create the password from
it.

I live at 51 Main Street Boston MA -> Il@51MSBMA

or Debbie and Sue and Donna are my daughters names -> D&S&Damdn

Larry C

On Sun, 24 Jan 2010 17:34:24 -0600, [email protected]
(Robert Bonomi) wrote:

>In article <[email protected]>,
>krw <[email protected]> wrote:
>>On Sun, 24 Jan 2010 17:05:59 -0600, [email protected]
>>(Robert Bonomi) wrote:
>>
>>>In article <[email protected]>,
>>>Mark & Juanita <[email protected]> wrote:
>>>>Robert Bonomi wrote:
>>>>
>>>>> In article
>>>>> <cbd62152-c0c1-4378-bebf-85ab2dce6d1a@l19g2000yqb.googlegroups.com>,
>>>>> Robatoy <[email protected]> wrote:
>>>>>>From some damn site or another:
>>>>>>
>>>>>>===============================
>>>>>>
>>>>>>Most of us routinely use passwords so simple, a monkey could figure
>>>>>>them out. In fact, �monkey� is one of our favourites.
>>>>>>
>>>>>>Here they are, listed 1 through 32, in order of popularity:
>>>>>>
>>>>>>1. 123456
>>>>>>
>>>>>>2. 12345
>>>>>>
>>>>>>3. 123456789
>>>>>>
>>>>>>....
>>>>>>
>>>>>>===================================
>>>>>>
>>>>>>A password like mine: HHffrT56 is much harder to figure out and will
>>>>>>remain a secret forever.
>>>>>
>>>>>
>>>>> Then there was the password:
>>>>> MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
>>>>>
>>>>> Credit where credit is due, the blonde using it _was_ simply following the
>>>>> rules "a password must have 8 characters and 1 capital."
>>>>
>>>> ... and that would still fail certain agencies' password rules because it
>>>>does not have any non-alpha characters in it.
>>>>
>>>>/not kidding
>>
>>MickeyMinniePlutoHueyLouieDeweyDonaldGoofy$acramento
>>
>>>Yawp. I *know*. In such situations, I've been known to use a password
>>>consisting of 1 upper-case letter, 1 lower-case letter, and 8 _space_ characters.
>>>
>>>In at least one instance the in-house 'tiger team' went back and re-implemented
>>>their password cracker when they found out what I was doing.
>>>
>>>Really _good_ password systems allow _any_ character as part of the 'password',
>>>including things like 'backspace'. This increases the 'search space' that the
>>>attacker (using a password cracker) has to probe *immensely*, has very good
>>>odds of fooling someone who is watching it typed in, and numerous other
>>>advantages.
>>>
>>>One of the -best- systems I saw:
>>> prompted for a password,
>>> then, no matter _what_ you entered, responded "invalid",
>>> prompted again,
>>> and again, no matter _what_ you entered, responded "invalid",
>>> prompted a third time
>>> checked that response for minimum acceptable length, but otherwise ignored it,
>>> and let you in _if_and_only_ the first two attempts (a) matched, and (b)
>>> were the correct password.
>>>
>>>*Amazingly* effective against those who didn't have inside knowledge about how
>>>the system worked.
>>>
>>Security through obscurity isn't security at all.
>
>"Yahbut" applies. Obscurity _on_top_of_ good quality fundamentals *does*
>make life more difficult for the outside attacker.
>
>Obscurity, _in_and_of_itself_, cannot be relied on to ensure security.
>
>Obscurity, in the form of 'misdirection' especially, _can_ be effective in
>causing _most_ attackers to waste their efforts in a direction that _cannot_
>success.

But without the underlying security, obscurity isn't of any use. If
the underlying system is secure, the obscure has no function other
than to piss off legitimate users, which will tend to reduce security
(e.g. silly PW rules will tend to cause PWs to be written on Postit
notes). OTOH, some obscurity will completely compromise any security
that's there (e.g. the key under the third rock from the left).

In any case, a system should withstand a reasonable attack if all of
the rules (and even software) is openly published. Indeed,
open-kimono can improve security by exposing holes more readily. In
the end, obscurity is only a thin blanket for the lack of security.

In article <[email protected]>,
Mark & Juanita <[email protected]> wrote:
>Robert Bonomi wrote:
>
>> In article
>> <cbd62152-c0c1-4378-bebf-85ab2dce6d1a@l19g2000yqb.googlegroups.com>,
>> Robatoy <[email protected]> wrote:
>>>From some damn site or another:
>>>
>>>===============================
>>>
>>>Most of us routinely use passwords so simple, a monkey could figure
>>>them out. In fact, �monkey� is one of our favourites.
>>>
>>>Here they are, listed 1 through 32, in order of popularity:
>>>
>>>1. 123456
>>>
>>>2. 12345
>>>
>>>3. 123456789
>>>
>>>....
>>>
>>>===================================
>>>
>>>A password like mine: HHffrT56 is much harder to figure out and will
>>>remain a secret forever.
>>
>>
>> Then there was the password:
>> MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
>>
>> Credit where credit is due, the blonde using it _was_ simply following the
>> rules "a password must have 8 characters and 1 capital."
>
> ... and that would still fail certain agencies' password rules because it
>does not have any non-alpha characters in it.
>
>/not kidding

Yawp. I *know*. In such situations, I've been known to use a password
consisting of 1 upper-case letter, 1 lower-case letter, and 8 _space_ characters.

In at least one instance the in-house 'tiger team' went back and re-implemented
their password cracker when they found out what I was doing.

Really _good_ password systems allow _any_ character as part of the 'password',
including things like 'backspace'. This increases the 'search space' that the
attacker (using a password cracker) has to probe *immensely*, has very good
odds of fooling someone who is watching it typed in, and numerous other
advantages.

One of the -best- systems I saw:
prompted for a password,
then, no matter _what_ you entered, responded "invalid",
prompted again,
and again, no matter _what_ you entered, responded "invalid",
prompted a third time
checked that response for minimum acceptable length, but otherwise ignored it,
and let you in _if_and_only_ the first two attempts (a) matched, and (b)
were the correct password.

*Amazingly* effective against those who didn't have inside knowledge about how
the system worked.

Robatoy wrote the following:
> From some damn site or another:
>
> ===============================
>
> Most of us routinely use passwords so simple, a monkey could figure
> them out. In fact, “monkey” is one of our favourites.
>
> Amichai Shulman is the chief technology officer at Imperva, which
> makes software for thwarting hackers. Recently, he undertook a study
> of 32 million passwords stolen by an unknown hacker from Rockyou!, an
> online service that makes widgets for social networking sites like
> Facebook.
>
> The list is depressing testimony to our collective lack of creativity
> in the arena of personal security.
>
> “I guess it’s just a flaw in human genetics,” Shulman told the New
> York Times.
>
> Bottom line, if your password is your first name and your secret first
> name isn’t NEhBuT3W4l.6, better think about making a switch.
>
> Here they are, listed 1 through 32, in order of popularity:
>
> 1. 123456
>
> 2. 12345
>
> 3. 123456789
>
> 4. password
>
> 5. iloveyou
>
> 6. princess
>
> 7. rockyou
>
> 8. 1234567
>
> 9. 12345678
>
> 10. abc123
>
> 11. nicole
>
> 12. daniel
>
> 13. babygirl
>
> 14. monkey
>
> 15. jessica
>
> 16. lovely
>
> 17. michael
>
> 18. ashley
>
> 19. 654321
>
> 20. qwerty
>
> 21. iloveu
>
> 22. michelle
>
> 23. 111111
>
> 24. 0
>
> 25. tigger
>
> 26. password1
>
> 27. sunshine
>
> 28. chocolate
>
> 29. anthony
>
> 30. angel
>
> 31. FRIENDS (yes, all caps)
>
> 32. soccer
>
> ===================================
>
> A password like mine: HHffrT56 is much harder to figure out and will
> remain a secret forever.
>
Even from the user.
Hoe do you remember all the passwords for various sites that you may
have tio sign into.
Get a sheet of paper tacked on the wall with all the usernames and
passwords, like I do?

--

Bill
In Hamptonburgh, NY
In the original Orange County. Est. 1683
To email, remove the double zeroes after @

"Robatoy" <[email protected]> wrote in message
news:cbd62152-c0c1-4378-bebf-85ab2dce6d1a@l19g2000yqb.googlegroups.com...
From some damn site or another:

===============================

Most of us routinely use passwords so simple, a monkey could figure
them out. In fact, “monkey” is one of our favourites.

Amichai Shulman is the chief technology officer at Imperva, which
makes software for thwarting hackers. Recently, he undertook a study
of 32 million passwords stolen by an unknown hacker from Rockyou!, an
online service that makes widgets for social networking sites like
Facebook.

The list is depressing testimony to our collective lack of creativity
in the arena of personal security.

“I guess it’s just a flaw in human genetics,” Shulman told the New
York Times.

Bottom line, if your password is your first name and your secret first
name isn’t NEhBuT3W4l.6, better think about making a switch.

Here they are, listed 1 through 32, in order of popularity:

1. 123456


That reminds me, I have to go change the combination lock on my luggage.

jc

On 1/24/2010 5:34 PM, Robert Bonomi wrote:
> In article<[email protected]>,
> krw<[email protected]> wrote:
>> On Sun, 24 Jan 2010 17:05:59 -0600, [email protected]
>> (Robert Bonomi) wrote:
>>
>>> In article<[email protected]>,
>>> Mark& Juanita<[email protected]> wrote:
>>>> Robert Bonomi wrote:
>>>>
>>>>> In article
>>>>> <cbd62152-c0c1-4378-bebf-85ab2dce6d1a@l19g2000yqb.googlegroups.com>,
>>>>> Robatoy<[email protected]> wrote:
>>>>> > From some damn site or another:
>>>>>>
>>>>>> ===============================
>>>>>>
>>>>>> Most of us routinely use passwords so simple, a monkey could figure
>>>>>> them out. In fact, �monkey� is one of our favourites.
>>>>>>
>>>>>> Here they are, listed 1 through 32, in order of popularity:
>>>>>>
>>>>>> 1. 123456
>>>>>>
>>>>>> 2. 12345
>>>>>>
>>>>>> 3. 123456789
>>>>>>
>>>>>> ....
>>>>>>
>>>>>> ===================================
>>>>>>
>>>>>> A password like mine: HHffrT56 is much harder to figure out and will
>>>>>> remain a secret forever.
>>>>>
>>>>>
>>>>> Then there was the password:
>>>>> MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
>>>>>
>>>>> Credit where credit is due, the blonde using it _was_ simply following the
>>>>> rules "a password must have 8 characters and 1 capital."
>>>>
>>>> ... and that would still fail certain agencies' password rules because it
>>>> does not have any non-alpha characters in it.
>>>>
>>>> /not kidding
>>
>> MickeyMinniePlutoHueyLouieDeweyDonaldGoofy$acramento
>>
>>> Yawp. I *know*. In such situations, I've been known to use a password
>>> consisting of 1 upper-case letter, 1 lower-case letter, and 8 _space_ characters.
>>>
>>> In at least one instance the in-house 'tiger team' went back and re-implemented
>>> their password cracker when they found out what I was doing.
>>>
>>> Really _good_ password systems allow _any_ character as part of the 'password',
>>> including things like 'backspace'. This increases the 'search space' that the
>>> attacker (using a password cracker) has to probe *immensely*, has very good
>>> odds of fooling someone who is watching it typed in, and numerous other
>>> advantages.
>>>
>>> One of the -best- systems I saw:
>>> prompted for a password,
>>> then, no matter _what_ you entered, responded "invalid",
>>> prompted again,
>>> and again, no matter _what_ you entered, responded "invalid",
>>> prompted a third time
>>> checked that response for minimum acceptable length, but otherwise ignored it,
>>> and let you in _if_and_only_ the first two attempts (a) matched, and (b)
>>> were the correct password.
>>>
>>> *Amazingly* effective against those who didn't have inside knowledge about how
>>> the system worked.
>>>
>> Security through obscurity isn't security at all.
>
> "Yahbut" applies. Obscurity _on_top_of_ good quality fundamentals *does*
> make life more difficult for the outside attacker.
>
> Obscurity, _in_and_of_itself_, cannot be relied on to ensure security.
>
> Obscurity, in the form of 'misdirection' especially, _can_ be effective in
> causing _most_ attackers to waste their efforts in a direction that _cannot_
> success.

And, like those "hidden" devices that are so out in the open that damn
few would ever look into, like the dummy wall receptacle "bank" with a
plug running to a lamp, that works.

--
www.e-woodshop.net
Last update: 10/22/08
KarlC@ (the obvious)

"Robatoy" <[email protected]> wrote

A password like mine: HHffrT56 is much harder to figure out and will
remain a secret forever.

And what's your bank account number please?

Jeff, only joking!


--
Jeff Gorman, West Yorkshire, UK
email : Username is amgron
ISP is clara.co.uk
www.amgron.clara.net

On 1/21/2010 4:26 PM, Robatoy wrote:
> From some damn site or another:
>
> ===============================
>
> Most of us routinely use passwords so simple, a monkey could figure
> them out. In fact, “monkey” is one of our favourites.

>
> A password like mine: HHffrT56 is much harder to figure out and will
> remain a secret forever.

<g> ...

Thanks to Leon I now use Roboform to generate a password for every site
and account ... for some reason I have in excessive of 104 passworded
accounts ... damn thing breed like rabbets. ;)

Easy to change the key ones every month or so and only have to remember
one ... also good protection against keyloggers.

--
www.e-woodshop.net
Last update: 10/22/08
KarlC@ (the obvious)

How many 'sites' (or whatever) are so critical that you need an NSA-style
password?


The dozen or so that _are_ critical can be remembered, yes?
I back 'em up on a text file in the thumb drive in my pocket.

The only way you get it is to kill me ...and then I don't care any more,
eh?

Robert Bonomi wrote:

> In article
> <cbd62152-c0c1-4378-bebf-85ab2dce6d1a@l19g2000yqb.googlegroups.com>,
> Robatoy <[email protected]> wrote:
>>From some damn site or another:
>>
>>===============================
>>
>>Most of us routinely use passwords so simple, a monkey could figure
>>them out. In fact, �monkey� is one of our favourites.
>>
>>Here they are, listed 1 through 32, in order of popularity:
>>
>>1. 123456
>>
>>2. 12345
>>
>>3. 123456789
>>
>>....
>>
>>===================================
>>
>>A password like mine: HHffrT56 is much harder to figure out and will
>>remain a secret forever.
>
>
> Then there was the password:
> MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
>
> Credit where credit is due, the blonde using it _was_ simply following the
> rules "a password must have 8 characters and 1 capital."

... and that would still fail certain agencies' password rules because it
does not have any non-alpha characters in it.

/not kidding

--

There is never a situation where having more rounds is a disadvantage

Rob Leatham

In article <[email protected]>, willshak <[email protected]> wrote:

>Hoe do you remember all the passwords for various sites that you may
>have tio sign into.
>Get a sheet of paper tacked on the wall with all the usernames and
>passwords, like I do?

I have a file on my computer that lists various passwords, in a form that's
intelligible to me -- things like "my street address as a child: ####dSCs" so
for example if I had grown up at 3141 North Main Street, Boise Idaho, the
password would be 3141nMBi (dsCS = direction, Street, City, state). That sort
of stuff is trivially easy to remember, but nearly impossible to deduce.

Once worked with a sysadmin who set the root password on his system to MHPNSW3
("My Home Phone Number Starts With 3"). Again, trivially easy to remember,
nearly impossible to deduce.

[email protected] wrote:
> On Thu, 21 Jan 2010 14:26:54 -0800 (PST), Robatoy
> <[email protected]> wrote:
>
>> From some damn site or another:
>>
>> ===============================
>>
>> Most of us routinely use passwords so simple, a monkey could figure
>> them out. In fact, “monkey” is one of our favourites.
>>
>> Amichai Shulman is the chief technology officer at Imperva, which
>> makes software for thwarting hackers. Recently, he undertook a study
>> of 32 million passwords stolen by an unknown hacker from Rockyou!, an
>> online service that makes widgets for social networking sites like
>> Facebook.
>>
>> The list is depressing testimony to our collective lack of creativity
>> in the arena of personal security.
>>
>> “I guess it’s just a flaw in human genetics,” Shulman told the New
>> York Times.
>>
>> Bottom line, if your password is your first name and your secret
>> first name isn’t NEhBuT3W4l.6, better think about making a switch.
>>
>> Here they are, listed 1 through 32, in order of popularity:
>>
>> 1. 123456
>>
>> 2. 12345
>>
>> 3. 123456789
>>
>> 4. password
>>
>> 5. iloveyou
>>
>> 6. princess
>>
>> 7. rockyou
>>
>> 8. 1234567
>>
>> 9. 12345678
>>
>> 10. abc123
>>
>> 11. nicole
>>
>> 12. daniel
>>
>> 13. babygirl
>>
>> 14. monkey
>>
>> 15. jessica
>>
>> 16. lovely
>>
>> 17. michael
>>
>> 18. ashley
>>
>> 19. 654321
>>
>> 20. qwerty
>>
>> 21. iloveu
>>
>> 22. michelle
>>
>> 23. 111111
>>
>> 24. 0
>>
>> 25. tigger
>>
>> 26. password1
>>
>> 27. sunshine
>>
>> 28. chocolate
>>
>> 29. anthony
>>
>> 30. angel
>>
>> 31. FRIENDS (yes, all caps)
>>
>> 32. soccer
>>
>> ===================================
>>
>> A password like mine: HHffrT56 is much harder to figure out and will
>> remain a secret forever.
>
> How about W1LL R0ger5, or J0nn1e M00re, or D@v1d , or some other
> combination that "spells" the name.
>
> Another good one is using the first letters of the words of a phrase,
> song first line, or poem, again using 1 for i, 0 for o, etc when
> possible.
> tebgtw (the early bird gets the worm), or h0tr (home on the range) or
> wg2s02ls (we get too soon old too late smart)
>
> Easy enough for YOU to remember, but awfull hard to crack.

Then there was the guy I used to work with who used
"thetreeofevilbearsbitterfruit".

On Sun, 24 Jan 2010 17:05:59 -0600, [email protected]
(Robert Bonomi) wrote:

>In article <[email protected]>,
>Mark & Juanita <[email protected]> wrote:
>>Robert Bonomi wrote:
>>
>>> In article
>>> <cbd62152-c0c1-4378-bebf-85ab2dce6d1a@l19g2000yqb.googlegroups.com>,
>>> Robatoy <[email protected]> wrote:
>>>>From some damn site or another:
>>>>
>>>>===============================
>>>>
>>>>Most of us routinely use passwords so simple, a monkey could figure
>>>>them out. In fact, �monkey� is one of our favourites.
>>>>
>>>>Here they are, listed 1 through 32, in order of popularity:
>>>>
>>>>1. 123456
>>>>
>>>>2. 12345
>>>>
>>>>3. 123456789
>>>>
>>>>....
>>>>
>>>>===================================
>>>>
>>>>A password like mine: HHffrT56 is much harder to figure out and will
>>>>remain a secret forever.
>>>
>>>
>>> Then there was the password:
>>> MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
>>>
>>> Credit where credit is due, the blonde using it _was_ simply following the
>>> rules "a password must have 8 characters and 1 capital."
>>
>> ... and that would still fail certain agencies' password rules because it
>>does not have any non-alpha characters in it.
>>
>>/not kidding

MickeyMinniePlutoHueyLouieDeweyDonaldGoofy$acramento

>Yawp. I *know*. In such situations, I've been known to use a password
>consisting of 1 upper-case letter, 1 lower-case letter, and 8 _space_ characters.
>
>In at least one instance the in-house 'tiger team' went back and re-implemented
>their password cracker when they found out what I was doing.
>
>Really _good_ password systems allow _any_ character as part of the 'password',
>including things like 'backspace'. This increases the 'search space' that the
>attacker (using a password cracker) has to probe *immensely*, has very good
>odds of fooling someone who is watching it typed in, and numerous other
>advantages.
>
>One of the -best- systems I saw:
> prompted for a password,
> then, no matter _what_ you entered, responded "invalid",
> prompted again,
> and again, no matter _what_ you entered, responded "invalid",
> prompted a third time
> checked that response for minimum acceptable length, but otherwise ignored it,
> and let you in _if_and_only_ the first two attempts (a) matched, and (b)
> were the correct password.
>
>*Amazingly* effective against those who didn't have inside knowledge about how
>the system worked.
>
Security through obscurity isn't security at all.

On Fri, 22 Jan 2010 08:51:17 -0000, the infamous "Jeff Gorman"
<[email protected]> scrawled the following:

>
>"Robatoy" <[email protected]> wrote
>
>A password like mine: HHffrT56 is much harder to figure out and will
>remain a secret forever.
>
>And what's your bank account number please?
>
>Jeff, only joking!

You're such a nice lad, Jeff, I'm only too glad to oblige:

Social Security number
Bank account number
Bank pin number
Bank name and address

123-45-6789

32/1127-1234567890

1234

First Bank of Nigeria
1 Teslim Balogun Stadium Rd
Lagos, Nigeria


Thank you! Please send my $27,000,000 today!

--
The greatest fine art of the future will be the making
of a comfortable living from a small piece of land.
--Abraham Lincoln

On Fri, 22 Jan 2010 03:12:16 +0000, Doug Miller wrote:

> In article <[email protected]>, willshak
> <[email protected]> wrote:
>
>>Hoe do you remember all the passwords for various sites that you may
>>have tio sign into.
>>Get a sheet of paper tacked on the wall with all the usernames and
>>passwords, like I do?
>
> I have a file on my computer that lists various passwords, in a form
> that's intelligible to me -- things like "my street address as a child:
> ####dSCs" so for example if I had grown up at 3141 North Main Street,
> Boise Idaho, the password would be 3141nMBi (dsCS = direction, Street,
> City, state). That sort of stuff is trivially easy to remember, but
> nearly impossible to deduce.
>
> Once worked with a sysadmin who set the root password on his system to
> MHPNSW3 ("My Home Phone Number Starts With 3"). Again, trivially easy to
> remember, nearly impossible to deduce.

Some ISPs allow special characters. They can make an otherwise simple
password a lot more complex.

--
Intelligence is an experiment that failed - G. B. Shaw

In article <cbd62152-c0c1-4378-bebf-85ab2dce6d1a@l19g2000yqb.googlegroups.com>,
Robatoy <[email protected]> wrote:
>From some damn site or another:
>
>===============================
>
>Most of us routinely use passwords so simple, a monkey could figure
>them out. In fact, “monkey” is one of our favourites.
>
>Here they are, listed 1 through 32, in order of popularity:
>
>1. 123456
>
>2. 12345
>
>3. 123456789
>
>....
>
>===================================
>
>A password like mine: HHffrT56 is much harder to figure out and will
>remain a secret forever.


Then there was the password:
MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento

Credit where credit is due, the blonde using it _was_ simply following the rules
"a password must have 8 characters and 1 capital."

In article <[email protected]>,
krw <[email protected]> wrote:
>On Sun, 24 Jan 2010 17:05:59 -0600, [email protected]
>(Robert Bonomi) wrote:
>
>>In article <[email protected]>,
>>Mark & Juanita <[email protected]> wrote:
>>>Robert Bonomi wrote:
>>>
>>>> In article
>>>> <cbd62152-c0c1-4378-bebf-85ab2dce6d1a@l19g2000yqb.googlegroups.com>,
>>>> Robatoy <[email protected]> wrote:
>>>>>From some damn site or another:
>>>>>
>>>>>===============================
>>>>>
>>>>>Most of us routinely use passwords so simple, a monkey could figure
>>>>>them out. In fact, �monkey� is one of our favourites.
>>>>>
>>>>>Here they are, listed 1 through 32, in order of popularity:
>>>>>
>>>>>1. 123456
>>>>>
>>>>>2. 12345
>>>>>
>>>>>3. 123456789
>>>>>
>>>>>....
>>>>>
>>>>>===================================
>>>>>
>>>>>A password like mine: HHffrT56 is much harder to figure out and will
>>>>>remain a secret forever.
>>>>
>>>>
>>>> Then there was the password:
>>>> MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
>>>>
>>>> Credit where credit is due, the blonde using it _was_ simply following the
>>>> rules "a password must have 8 characters and 1 capital."
>>>
>>> ... and that would still fail certain agencies' password rules because it
>>>does not have any non-alpha characters in it.
>>>
>>>/not kidding
>
>MickeyMinniePlutoHueyLouieDeweyDonaldGoofy$acramento
>
>>Yawp. I *know*. In such situations, I've been known to use a password
>>consisting of 1 upper-case letter, 1 lower-case letter, and 8 _space_ characters.
>>
>>In at least one instance the in-house 'tiger team' went back and re-implemented
>>their password cracker when they found out what I was doing.
>>
>>Really _good_ password systems allow _any_ character as part of the 'password',
>>including things like 'backspace'. This increases the 'search space' that the
>>attacker (using a password cracker) has to probe *immensely*, has very good
>>odds of fooling someone who is watching it typed in, and numerous other
>>advantages.
>>
>>One of the -best- systems I saw:
>> prompted for a password,
>> then, no matter _what_ you entered, responded "invalid",
>> prompted again,
>> and again, no matter _what_ you entered, responded "invalid",
>> prompted a third time
>> checked that response for minimum acceptable length, but otherwise ignored it,
>> and let you in _if_and_only_ the first two attempts (a) matched, and (b)
>> were the correct password.
>>
>>*Amazingly* effective against those who didn't have inside knowledge about how
>>the system worked.
>>
>Security through obscurity isn't security at all.

"Yahbut" applies. Obscurity _on_top_of_ good quality fundamentals *does*
make life more difficult for the outside attacker.

Obscurity, _in_and_of_itself_, cannot be relied on to ensure security.

Obscurity, in the form of 'misdirection' especially, _can_ be effective in
causing _most_ attackers to waste their efforts in a direction that _cannot_
success.

Robatoy <[email protected]> writes:
>From some damn site or another:
>
>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
>=3D=3D=3D=3D=3D=3D
>
>Most of us routinely use passwords so simple, a monkey could figure
>them out. In fact, =93monkey=94 is one of our favourites.
>
>Amichai Shulman is the chief technology officer at Imperva, which
>makes software for thwarting hackers. Recently, he undertook a study
>of 32 million passwords stolen by an unknown hacker from Rockyou!, an
>online service that makes widgets for social networking sites like
>Facebook.

Every year at the SuperComputing conference (SC09 was in Portland in
November), the NOC team places several displays throughout the show
floor showing bandwidth and other usage statistics (particularly for
the Internet2 feeds). One of the displays shows the top 200 passwords
sniffed from non-secure protocols (pop3, imap, ftp, telnet); at
SC09, the majority of the passwords are reasonably complex, but defeated
by using a non-secure transmission protocol.

scott