Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: suggesting passwds to users

from [Scovetta, Michael V] Network Security [Permanent Link]
Subject: RE: suggesting passwds to users
Date: Wed, 20 Apr 2005 13:55:16 -0400 
Matt--
  I think even the "bad" random generators are still pretty random, and
the flaws only show up in a slightly statistical "blip" after thousands
to millions of numbers are generated.

I'm reading a great book called "Malicious Cryptovirology" by Young and
Yung 
(http://www.amazon.com/exec/obidos/tg/detail/-/0764549758/102-7275077-50
83323?v=glance)
which talks a great deal about random number generation-- I'd highly
suggest it to anyone looking to learn about random number generation.

Michael Scovetta
Computer Associates
Senior Application Developer

-----Original Message-----
From: Matt Fisher [mailto:mfisher@spidynamics.com] 
Sent: Tuesday, April 19, 2005 10:22 PM
To: James Barkley; webappsec@securityfocus.com
Subject: RE: suggesting passwds to users

The first thing I think of in this scenario is what "random" means.  I
don't know that much about rand generators, but I do know that some have
been flawed, and presented not-so-random numbers.  
 


-----Original Message-----
From: James Barkley [mailto:James.Barkley@noaa.gov] 
Sent: Friday, April 15, 2005 3:20 AM
To: webappsec@securityfocus.com
Subject: suggesting passwds to users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 

A user authenticates with a username/passwd and you not only 
give the user the option to change his/her password any time 
they want but also make it mandatory that they change their 
password at least once every so often (e.g. 6 months).  You 
know that users are not good at choosing good passwords, but 
you happen to have a good application module for generating 
random strong passwords.  So, when the user is at the change 
password page and about to type in "Mets4Ever" as their new 
password, why not give them a list of 10 or so 
cryptographically strong, randomly generated passwords as 
suggestions for them.
Assuming you are using https, then this seems like reasonable 
security... or am I missing something?

- -Jim Barkley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
 
iD8DBQFCX2sJVtbq2E0xxN0RAu/qAJ9IniLfMUhKv2UpSweiXVfQn/wGRwCbBNQt
zPNrsUoEcHrAlvIqbunriPM=
=EYEs
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: suggesting passwds to users, robert
Next by Date:  Re: modulo question, warnings
Previous by Thread:  Re: suggesting passwds to users, hggdh
Next by Thread:  RE: suggesting passwds to users, maburns
Indexes:  [Date] [Thread] [Top] [All Lists]