Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Pass the Chocolate
Scott Granneman, 2004-05-26

For the 70% of the population that will trade their computer password for a bar of chocolate, this one's for you.

Comments Mode:
Pass the Chocolate 2004-05-27
pthread (1 replies)
You are dreaming if you think anyone is going to read that, it's a friggin book! What you do is, at work, run LC4 and let it sniff passwords over the network and crack them as it gets them, then show them how quick it gets all their passwords.

Then they can laugh at you and tell you that if you ...

[ more ]  [ reply ]
Pass the Chocolate 2004-06-01
Anonymous
You're forgetting about programs that can automatically guess at passwords, 24 hours a day, 7 days a week.

It's not going to take a brute force password cracking program very long to guess a password like "beer", and no amount of encryption is going to protect your from that. (I think beer is nu...

[ more ]  [ reply ]
Pass the Chocolate 2004-05-27
Dominic Cronin
Firstly, there is no-one who ever legitimately needs your password. If they are legit, then they have access of their own.

Secondly, I've been using the song trick for a few years now, but I would never disclose which song I'm using. In this day and age, putting your Led Zep lyrics up is almost a...

[ more ]  [ reply ]
Pass the Chocolate 2004-05-27
Anonymous (1 replies)
The "chocolate" survey was hardly scientific. I suspect that a large number of people would have given completely fictitious passwords in exchange for the free chocolate. We, IT Security Pros, can hardly use this survey as the basis for a password campaign. The business people would, rightly, dismis...

[ more ]  [ reply ]
Pass the Chocolate 2004-05-28
microchp
I agree. Most of the people I know would gladly and very quickly come up with a reasonable password for something free.

I believe the term for that is Social Engineering.

Now the real question is, how many people would consume something that could be tainted with a dangerous substance just be...

[ more ]  [ reply ]
Pass the Chocolate 2004-05-27
N. Alan
Does password best practice really improve security. IT Security staff the world over advise their organisations to use complicated mixed case passwords we then require these passwords to be changed every 30 days. This means that staff either write them down or call the help desk to get them reset. ...

[ more ]  [ reply ]
Pass the Chocolate 2004-05-27
Anonymous
I wonder about the validity of that "70%" result. The survey doesn't sound like it used a very scientific method. How many just said "yes" for the fun of it? How many gave a true password and not something made up? I really don't care for so-called surveys like this. They just muddy the waters ...

[ more ]  [ reply ]
Pass the Chocolate 2004-05-27
Anonymous (1 replies)
Well, first a password with two numbers on the end isn't secure (it's just too easy for cracking software to try 0-99 so they all do) so don't bother with that. Also, many common phrases are in cracking dictionaries as well so I'd recommend against them if you want a truly uncrackable password.

W...

[ more ]  [ reply ]
Pass the tequila 2004-05-27
Mene Tekel
Not only doesn't the two digits at the end make the password that much more secure, because most cracking programs tries adding all digits from 0 to 9999 at the end, but it also makes the assumption that this would make a difference at all. A substantial part of the passwords out there are old styl...

[ more ]  [ reply ]
Pass the Chocolate 2004-05-27
Anonymous
I hope you're happy ! You just posted my password to the entire world ! :-p...

[ more ]  [ reply ]
Pass the Chocolate 2004-05-27
E. de Jong
Dont use the same password that you use on www.hotwarez.com for your work computer. The owner of the site might not be as honest as you expect him to be.

...

[ more ]  [ reply ]
WRITE them passwords down... 2004-05-27
Nicholas Weaver
Write them down and KEEP THEM IN YOUR WALLET. I have some root passwords and my obscure "secure" account passwords written down in my wallet. (My main password and ssh passphrase are 100% memorized, so it is not an issue there)

Likewise, you want Bruce Shneier's passwords? You mug him!

The ...

[ more ]  [ reply ]
Pass the buck 2004-05-27
Mene Tekel (1 replies)
I tried to read this as a user would. And you lost me when you started with a=@, b=6... It doesn't matter whether you can explain it -- it looks like goobledegook to a user, who in the best case will skip down to read the explanation part later (if ever). But what's further down requires that you...

[ more ]  [ reply ]
Pass the buck 2004-06-01
Anonymous
You're right. I'd shorten the article to:

Use acronyms as passwords. They're easy to remember and hard to guess....

[ more ]  [ reply ]
Keepass, Only need to remeber 1 passwd!! 2004-05-28
B
Another option people might want to try that I have found to be most useful is the Keepass password safe:

http://keepass.sourceforge.net/

Its nice because you can store all your passwords in a encrypted file that can be carried around on a USB keyring and people only have to have 1 password,...

[ more ]  [ reply ]
Pass the Chocolate 2004-05-28
Anonymous
I dunno, for some reason I kind of believe that survey result. I mean if you think about it, 95% of the people using computers are not savy in any way, let alone security cautious. They don't know what security is, and they don't want to know and most of the time, they dont get paid nearly enough ...

[ more ]  [ reply ]
Pass the Chocolate 2004-06-01
Tommy Ward (2 replies)
This whole issue represents a failure of our industry, i.e. we still haven't provided a cost effective, easy to use replacement for this obsolete technology. Even the US Government (hardly a bastion of technological leadership) admitted 10 years ago that passwords were obsolete, so here we are still...

[ more ]  [ reply ]
Pass the test 2004-06-03
Mene Tekel
Any successful authentication scheme has to fulfill three separate criteria:

1: It must be statistically impossible to duplicate within the time frame the authentication is valid. Pass phrases and keys that can only be brute forced combined with expiring keys/passwords is just this, and the bas...

[ more ]  [ reply ]
Re: Pass the Chocolate 2006-11-28
Anonymous (1 replies)
Tell me for which OS you cannot find USB support these days....

[ more ]  [ reply ]
Re: Re: Pass the Chocolate 2007-06-15
Anonymous
well, in higher security environments, USB ports are desoldered or glued up (lower security) Cases are locked and tamper-sealed. Internal headers are removed too. Custom bios-es are loaded too.
I know, I'm the desolderer and keyholder for 4000 workstations :)...

[ more ]  [ reply ]
Pass the Chocolate 2004-06-02
steeef
As others here have already mentioned, adding numbers to the end of a password only increases cracking difficulty marginally. I'm not convinced that adding different cases or special symbols helps that much either.

The most secure passwords are either randomly or mnemonicly (is that a word?) gene...

[ more ]  [ reply ]
Pass the Chocolate 2004-06-06
Anonymous
Where's this 70% number come from? If I were walking down the street and someone offered me chocolate for my password, I'd take it. Of course, I wouldn't give them any of my real passwords, but how are they going to check? Mmm, free chocolate....

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus