[Coco] Mystic BBS
Sean
badfrog at gmail.com
Tue Oct 1 00:36:17 EDT 2019
Jeff, you seem to be the guy that has to be the first person that says
something sucks on the internet forums. And you're spending a lot of time
on it. Just let it go and let the BBS live. There is no place for this
discussion on the CoCo list.
On Mon, Sep 30, 2019 at 10:39 PM Jeff Teunissen <deek at d2dc.net> wrote:
> On Sun, Sep 29, 2019 at 6:27 PM Gene Heskett <gheskett at shentel.net> wrote:
> >
> > On Sunday 29 September 2019 16:51:50 Jeff Teunissen wrote:
> >
> > > Your password requirements are really terrible.
> > >
> > > "7 characters, 1 capital letter, 3 numbers, 1 symbol" is a very
> > > insecure password scheme. It's bad enough that most people will write
> > > it down rather than try to remember a password that matches it --
> > > while simultaneously being very easy for a computer to guess. It's the
> > > opposite of a good password scheme, that being one that a person can
> > > memorize easily while being hard to guess.
> > >
> > > I killed the new user session, it just wasn't worth completing.
> > >
> > While I disagree with Jeffs way of complaining, I agree with his
> > complaint. John the ripper, a linux password cracker can probably find
> > that simple a pw in less than a minute. Open that up to at least 80
> > chars, specify the legal chars you can use but don't demand them,
> > because everytime you restrict, it takes one character out of the try
> > pool for a potential cracker. Use a whole phrase of easy to remember
> > words that are NOT related to each other, but because its whole words,
> > its much easier for you to remember without ever writing it down.
> >
> > I would think we've been hacked enough times over the last 35 years to
> > get a clue. Every character you add is a mathematical factor increment
> > for the crackers to have to try. One of the better calculators ever
> > built by TI overflows its 12 digit + exponent math when you enter 70!,
> > but can handle 69! The answer for 69! is quite a few times the age of
> > the universe in seconds. Make 'em work for it and they'll quickly get
> > bored and go away, looking for easier pickings.
>
> A single extra character adds potentially about 6 bits of entropy if
> every character that can by typed is equally possible. In practice,
> it's not that much, more like between 4 and 5. But merely increasing
> the length of the required password does not make things more secure,
> and over a cleartext channel it doesn't matter at _all_ because Eve
> already watched you type it in. Everyone's password could be "bob" and
> as long as no user knows that everyone else ALSO used that password
> it's all good.
>
> As was said elsewhere in the thread, don't use the same password you
> use at the bank, but equally -- using "enterprise-grade" password
> security theatre is just silly for such an inherently insecure thing.
>
> --
> Coco mailing list
> Coco at maltedmedia.com
> https://pairlist5.pair.net/mailman/listinfo/coco
>
More information about the Coco
mailing list