Prev: /dev/sdb1 partition not created
Next: Replace string without sed/regex
From: jellybean stonerfish on 18 Jun 2010 11:43
On Fri, 18 Jun 2010 10:29:25 +0000, unruh wrote:

> On 2010-06-17, David Brown <david(a)westcontrol.removethisbit.com> wrote:
>> On 17/06/2010 11:12, Todd wrote:
>>> Hi All,
>>>
>>> With this command:
>>>
>>> ssh -l todd -X 192.168.255.14 /usr/bin/VirtualBox
>>>
>>> I can run VirtualBox console on another computer with X11. All I get
>>> is asked for my password.
>>>
>>> I don't get it. How is this any more secure that plain old telnet?
>>> Both are just a user name and password. You could hack it the same old
>>> way other services are hacked by running the dictionary at them. I do
>>> believe OPH Crack over on the Windows side calls this "Rainbow
>>> tables".
>
> A dictionary attack on passwords is difficult if you choose reasonable
> passwords Ie, greater than 8 letters, and proper password choice. If you
> use "a" as your password, they yes, password guessing it easy. Also ssh
> enrypts all data, includeing password exchange.
>
>
>
<SNIP>
>
>>> What am I missing? Is there a way to tighten ssh up?
>
> Use decent passwords.

Exactly. Don't use passwords that contain words. It is easy to create
and remember a password of almost random letters and numbers, that is
long. Think of a phrase or concept, then translate to semi-random text
with a mental method. For example: Sally thinks of the ladies she has
lunch with, Mary, Sue, and Tina. Mary has a poodle named Snooches, Sue
has two children, Samantha and Fred, and Tina's baby is her car named
Carrie. Using the first letter from her friends names, the first letter
from their type of pet, and the first letters from their pets, and adding
4 digits from their phone numbers she comes up with a password of
"mps1234ssf5678tc2468"

After you think it through, you type out the letters as you think it
through again. In this example, Sally already knows the information, her
co-workers names, and their pets names. She won't forget them. All she
needs to do is remember the concept; co-workers, pets, phone number.
The minute of two of thinking it up and working through it forces your
brain to build a memory.

With a little practice, you can create a new password for any reason.
For example, your email password may have characters generated from a
scene you remember from the movie "The postman always rings twice" and
your web server at work may have a string generated from the name of a
spider, crossed with the name of your favorite waitress, and price of a
sandwich.

From: Kenny McCormack on 18 Jun 2010 12:04
In article <hvg47g$a4o$1(a)speranza.aioe.org>,
jellybean stonerfish <stonerfish(a)geocities.com> wrote:
....
>Exactly. Don't use passwords that contain words. It is easy to create
>and remember a password of almost random letters and numbers, that is
>long. Think of a phrase or concept, then translate to semi-random text
>with a mental method. For example: Sally thinks of the ladies she has
>lunch with, Mary, Sue, and Tina. Mary has a poodle named Snooches, Sue
>has two children, Samantha and Fred, and Tina's baby is her car named
>Carrie. Using the first letter from her friends names, the first letter
>from their type of pet, and the first letters from their pets, and adding
>4 digits from their phone numbers she comes up with a password of
>"mps1234ssf5678tc2468"

Yeah, right. You're cracking me up!

....
>With a little practice, you can create a new password for any reason.
>For example, your email password may have characters generated from a
>scene you remember from the movie "The postman always rings twice" and
>your web server at work may have a string generated from the name of a
>spider, crossed with the name of your favorite waitress, and price of a
>sandwich.

This was a joke post, right?

Either that, or you are out of your frickin' mind. You and I might just
be able to handle what you suggest above, but normal users? No way.

And what's more to the point is that they won't (even if they could,
which, granted, maybe some can). And the reasons for this, besides the
ones listed in the white paper (which boil down to: it simply isn't
economically feasible for me to do so) include the simple fact that most
users view security as IT's responsibility. For god's sake, that's why
we pay you the big bucks - to fix these problems. Don't put it on me!

--
> No, I haven't, that's why I'm asking questions. If you won't help me,
> why don't you just go find your lost manhood elsewhere.

CLC in a nutshell.

From: jellybean stonerfish on 18 Jun 2010 12:23
On Fri, 18 Jun 2010 15:43:44 +0000, jellybean stonerfish wrote:

> . Using the first letter from her friends names, the first letter from
> their type of pet, and the first letters from their pets, and adding 4
> digits from their phone numbers she comes up with a password of
> "mps1234ssf5678tc2468"

Ooops, I forgot the "d" and "s" for "daughter" and "son"

should be "mps1234sdssf5678tc2468" but you get the idea.
From: jellybean stonerfish on 18 Jun 2010 12:33
On Fri, 18 Jun 2010 16:04:10 +0000, Kenny McCormack wrote:

> In article <hvg47g$a4o$1(a)speranza.aioe.org>, jellybean stonerfish
> <stonerfish(a)geocities.com> wrote: ...
>>Exactly. Don't use passwords that contain words. It is easy to create
>>and remember a password of almost random letters and numbers, that is
>>long. Think of a phrase or concept, then translate to semi-random text
>>with a mental method. For example: Sally thinks of the ladies she has
>>lunch with, Mary, Sue, and Tina. Mary has a poodle named Snooches, Sue
>>has two children, Samantha and Fred, and Tina's baby is her car named
>>Carrie. Using the first letter from her friends names, the first letter
>>from their type of pet, and the first letters from their pets, and
>>adding 4 digits from their phone numbers she comes up with a password of
>>"mps1234sdssf5678tc2468" (FIXED)
>
> Yeah, right. You're cracking me up!
>
> ...
>>With a little practice, you can create a new password for any reason.
>>For example, your email password may have characters generated from a
>>scene you remember from the movie "The postman always rings twice" and
>>your web server at work may have a string generated from the name of a
>>spider, crossed with the name of your favorite waitress, and price of a
>>sandwich.
>
> This was a joke post, right?

I wasn't joking, but there was a bit of humor in the example.

>
> Either that, or you are out of your frickin' mind. You and I might just
> be able to handle what you suggest above, but normal users? No way.

You may be right. In a group of friends, one of them forgot a password
we needed to log into a webserver. I tried to teach them how to make a
stronger password, that is easy to remember. On of them, an IT guy at a
local college, at least understood me. He smiled when I created a
password in front of him that will be impossible to forget, and the
system he had told him it was 97% strength.

From: John Hasler on 18 Jun 2010 12:43
Kenny McCormack writes:
> You and I might just be able to handle what you suggest above, but
> normal users? No way.

Right. So the thing for "normal users" to do is use a seperate strong
password (i.e., one generated by software, not by them) for each
seperate purpose and _write it down_. That's right, _write it down_ and
keep the written record in a safe place such as in their wallets with
their credit cards. The constant admonition to never write down a
password is idiotic. It is primarily responsible for the very common
practice of using a single easily-guessed password everywhere.
--
John Hasler
jhasler(a)newsguy.com
Dancing Horse Hill
Elmwood, WI USA
 |  Next  |  Last
Pages: 1 2 3 4
Prev: /dev/sdb1 partition not created
Next: Replace string without sed/regex