[Coco] Mystic BBS

Jeff Teunissen deek at d2dc.net
Mon Sep 30 23:11:47 EDT 2019


On Sun, Sep 29, 2019 at 6:27 PM Gene Heskett <gheskett at shentel.net> wrote:
>
> On Sunday 29 September 2019 16:51:50 Jeff Teunissen wrote:
>
> > Your password requirements are really terrible.
> >
> > "7 characters, 1 capital letter, 3 numbers, 1 symbol" is a very
> > insecure password scheme. It's bad enough that most people will write
> > it down rather than try to remember a password that matches it --
> > while simultaneously being very easy for a computer to guess. It's the
> > opposite of a good password scheme, that being one that a person can
> > memorize easily while being hard to guess.
> >
> > I killed the new user session, it just wasn't worth completing.
> >
> While I disagree with Jeffs way of complaining, I agree with his
> complaint. John the ripper, a linux password cracker can probably find
> that simple a pw in less than a minute.  Open that up to at least 80
> chars, specify the legal chars you can use but don't demand them,
> because everytime you restrict, it takes one character out of the try
> pool for a potential cracker.  Use a whole phrase of easy to remember
> words that are NOT related to each other, but because its whole words,
> its much easier for you to remember without ever writing it down.
>
> I would think we've been hacked enough times over the last 35 years to
> get a clue. Every character you add is a mathematical factor increment
> for the crackers to have to try. One of the better calculators ever
> built by TI overflows its 12 digit + exponent math when you enter 70!,
> but can handle 69!  The answer for 69! is quite a few times the age of
> the universe in seconds. Make 'em work for it and they'll quickly get
> bored and go away, looking for easier pickings.

A single extra character adds potentially about 6 bits of entropy if
every character that can by typed is equally possible. In practice,
it's not that much, more like between 4 and 5. But merely increasing
the length of the required password does not make things more secure,
and over a cleartext channel it doesn't matter at _all_ because Eve
already watched you type it in. Everyone's password could be "bob" and
as long as no user knows that everyone else ALSO used that password
it's all good.

As was said elsewhere in the thread, don't use the same password you
use at the bank, but equally -- using "enterprise-grade" password
security theatre is just silly for such an inherently insecure thing.


More information about the Coco mailing list