Password Strength

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Dear List--
>
> I can't say I've ever sent a link for a webcomic to the confocal list,
> but here goes.
>
> http://xkcd.com/936/
>
> (As far as I know, clicking on this link will not infect your computer
> with a virus or take you to a porn site.)
>
> Anybody able to verify or disprove this? Intuitively, it makes sense,
> but so do a lot of things that are wrong.
>
> Martin
> --
> Martin Wessendorf, Ph.D. office: (612) 626-0145
> Assoc Prof, Dept Neuroscience lab: (612) 624-2991
> University of Minnesota Preferred FAX: (612) 624-8118
> 6-145 Jackson Hall, 321 Church St. SE Dept Fax: (612) 626-5009
> Minneapolis, MN 55455 e-mail: [hidden email]

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Martin,
>
>            It's probably right, but 1000 guesses per second would require a connection speed way beyond even what I get on campus to another on-campus computer.  Even 100 per second (one month) seems implausible.  At 10 guesses per second you're looking at 2½ years ... And any system that will allow you 268,435,456 attempts at logging in before it freezes you out is terminally insecure!  (MS exchange allows 5 tries).
>
> The four random words thing is fine provided that (a) only very few do it and (b) the words truly are random.  But if it catches on then all a cracking algorithm has to do is try every combination of dictionary words that add up to the password length, a vastly simpler task.
>
>                                        Guy
>
>
> Optical Imaging Techniques in Cell Biology
> by Guy Cox    CRC Press / Taylor & Francis
>     http://www.guycox.com/optical.htm
> ______________________________________________
> Associate Professor Guy Cox, MA, DPhil(Oxon)
> Australian Centre for Microscopy & Microanalysis,
> Madsen Building F09, University of Sydney, NSW 2006
>
> Phone +61 2 9351 3176     Fax +61 2 9351 7682
>             Mobile 0413 281 861
> ______________________________________________
>      http://www.guycox.net
>
>
>
> -----Original Message-----
> From: Confocal Microscopy List [mailto:[hidden email]] On Behalf Of Martin Wessendorf
> Sent: Thursday, 11 August 2011 5:31 AM
> To: [hidden email]
> Subject: Password Strength
>
> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Dear List--
>
> I can't say I've ever sent a link for a webcomic to the confocal list,
> but here goes.
>
> http://xkcd.com/936/
>
> (As far as I know, clicking on this link will not infect your computer
> with a virus or take you to a porn site.)
>
> Anybody able to verify or disprove this?  Intuitively, it makes sense,
> but so do a lot of things that are wrong.
>
> Martin
> --
> Martin Wessendorf, Ph.D.                   office: (612) 626-0145
> Assoc Prof, Dept Neuroscience                 lab: (612) 624-2991
> University of Minnesota             Preferred FAX: (612) 624-8118
> 6-145 Jackson Hall, 321 Church St. SE    Dept Fax: (612) 626-5009
> Minneapolis, MN  55455                    e-mail: [hidden email]
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1391 / Virus Database: 1520/3824 - Release Date: 08/09/11

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Martin,
>
>            It's probably right, but 1000 guesses per second would require a
> connection speed way beyond even what I get on campus to another on-campus
> computer.  Even 100 per second (one month) seems implausible.  At 10 guesses
> per second you're looking at 2½ years ... And any system that will allow you
> 268,435,456 attempts at logging in before it freezes you out is terminally
> insecure!  (MS exchange allows 5 tries).
>
>                The four random words thing is fine provided that (a) only
> very few do it and (b) the words truly are random.  But if it catches on
> then all a cracking algorithm has to do is try every combination of
> dictionary words that add up to the password length, a vastly simpler task.
>
>                                        Guy
>
>
> Optical Imaging Techniques in Cell Biology
> by Guy Cox    CRC Press / Taylor & Francis
>     http://www.guycox.com/optical.htm
> ______________________________________________
> Associate Professor Guy Cox, MA, DPhil(Oxon)
> Australian Centre for Microscopy & Microanalysis,
> Madsen Building F09, University of Sydney, NSW 2006
>
> Phone +61 2 9351 3176     Fax +61 2 9351 7682
>             Mobile 0413 281 861
> ______________________________________________
>      http://www.guycox.net
>
>
>
> -----Original Message-----
> From: Confocal Microscopy List [mailto:[hidden email]]
> On Behalf Of Martin Wessendorf
> Sent: Thursday, 11 August 2011 5:31 AM
> To: [hidden email]
> Subject: Password Strength
>
> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Dear List--
>
> I can't say I've ever sent a link for a webcomic to the confocal list,
> but here goes.
>
> http://xkcd.com/936/
>
> (As far as I know, clicking on this link will not infect your computer
> with a virus or take you to a porn site.)
>
> Anybody able to verify or disprove this?  Intuitively, it makes sense,
> but so do a lot of things that are wrong.
>
> Martin
> --
> Martin Wessendorf, Ph.D.                   office: (612) 626-0145
> Assoc Prof, Dept Neuroscience                 lab: (612) 624-2991
> University of Minnesota             Preferred FAX: (612) 624-8118
> 6-145 Jackson Hall, 321 Church St. SE    Dept Fax: (612) 626-5009
> Minneapolis, MN  55455                    e-mail: [hidden email]
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1391 / Virus Database: 1520/3824 - Release Date: 08/09/11
>

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Martin,
>
>            It's probably right, but 1000 guesses per second would require a
> connection speed way beyond even what I get on campus to another on-campus
> computer.  Even 100 per second (one month) seems implausible.  At 10 guesses
> per second you're looking at 2½ years ... And any system that will allow you
> 268,435,456 attempts at logging in before it freezes you out is terminally
> insecure!  (MS exchange allows 5 tries).
>
>                The four random words thing is fine provided that (a) only
> very few do it and (b) the words truly are random.  But if it catches on
> then all a cracking algorithm has to do is try every combination of
> dictionary words that add up to the password length, a vastly simpler task.
>
>                                        Guy
>
>
> Optical Imaging Techniques in Cell Biology
> by Guy Cox    CRC Press / Taylor & Francis
>     http://www.guycox.com/optical.htm
> ______________________________________________
> Associate Professor Guy Cox, MA, DPhil(Oxon)
> Australian Centre for Microscopy & Microanalysis,
> Madsen Building F09, University of Sydney, NSW 2006
>
> Phone +61 2 9351 3176     Fax +61 2 9351 7682
>             Mobile 0413 281 861
> ______________________________________________
>      http://www.guycox.net
>
>
>
> -----Original Message-----
> From: Confocal Microscopy List [mailto:[hidden email]]
> On Behalf Of Martin Wessendorf
> Sent: Thursday, 11 August 2011 5:31 AM
> To: [hidden email]
> Subject: Password Strength
>
> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Dear List--
>
> I can't say I've ever sent a link for a webcomic to the confocal list,
> but here goes.
>
> http://xkcd.com/936/
>
> (As far as I know, clicking on this link will not infect your computer
> with a virus or take you to a porn site.)
>
> Anybody able to verify or disprove this?  Intuitively, it makes sense,
> but so do a lot of things that are wrong.
>
> Martin
> --
> Martin Wessendorf, Ph.D.                   office: (612) 626-0145
> Assoc Prof, Dept Neuroscience                 lab: (612) 624-2991
> University of Minnesota             Preferred FAX: (612) 624-8118
> 6-145 Jackson Hall, 321 Church St. SE    Dept Fax: (612) 626-5009
> Minneapolis, MN  55455                    e-mail: [hidden email]
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1391 / Virus Database: 1520/3824 - Release Date: 08/09/11
>

> From: Guy Cox <[hidden email]>
> Subject: Re: Password Strength
> To: [hidden email]
> Received: Thursday, 11 August, 2011, 8:12 AM
> *****
> To join, leave or search the confocal microscopy listserv,
> go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Martin,
>
>             It's probably
> right, but 1000 guesses per second would require a
> connection speed way beyond even what I get on campus to
> another on-campus computer.  Even 100 per second (one
> month) seems implausible.  At 10 guesses per second
> you're looking at 2½ years ... And any system that will
> allow you 268,435,456 attempts at logging in before it
> freezes you out is terminally insecure!  (MS exchange
> allows 5 tries).
>
>         The four random words
> thing is fine provided that (a) only very few do it and (b)
> the words truly are random.  But if it catches on then
> all a cracking algorithm has to do is try every combination
> of dictionary words that add up to the password length, a
> vastly simpler task.
>
>                
>                
>         Guy
>
>
> Optical Imaging Techniques in Cell Biology
> by Guy Cox    CRC Press / Taylor & Francis
>      http://www.guycox.com/optical.htm
> ______________________________________________
> Associate Professor Guy Cox, MA, DPhil(Oxon)
> Australian Centre for Microscopy & Microanalysis,
> Madsen Building F09, University of Sydney, NSW 2006
>
> Phone +61 2 9351 3176     Fax +61 2
> 9351 7682
>              Mobile
> 0413 281 861
> ______________________________________________
>       http://www.guycox.net
>  
>
>
> -----Original Message-----
> From: Confocal Microscopy List [mailto:[hidden email]]
> On Behalf Of Martin Wessendorf
> Sent: Thursday, 11 August 2011 5:31 AM
> To: [hidden email]
> Subject: Password Strength
>
> *****
> To join, leave or search the confocal microscopy listserv,
> go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Dear List--
>
> I can't say I've ever sent a link for a webcomic to the
> confocal list,
> but here goes.
>
> http://xkcd.com/936/
>
> (As far as I know, clicking on this link will not infect
> your computer
> with a virus or take you to a porn site.)
>
> Anybody able to verify or disprove this?  Intuitively,
> it makes sense,
> but so do a lot of things that are wrong.
>
> Martin
> --
> Martin Wessendorf, Ph.D.         
>          office: (612)
> 626-0145
> Assoc Prof, Dept Neuroscience       
>          lab: (612) 624-2991
> University of Minnesota         
>    Preferred FAX: (612) 624-8118
> 6-145 Jackson Hall, 321 Church St. SE    Dept
> Fax: (612) 626-5009
> Minneapolis, MN  55455       
>             e-mail: [hidden email]
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1391 / Virus Database: 1520/3824 - Release
> Date: 08/09/11
>

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/**wa?A0=confocalmicroscopy<http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy>
> *****
>
> Dear List--
>
> I can't say I've ever sent a link for a webcomic to the confocal list, but
> here goes.
>
> http://xkcd.com/936/
>
> (As far as I know, clicking on this link will not infect your computer with
> a virus or take you to a porn site.)
>
> Anybody able to verify or disprove this?  Intuitively, it makes sense, but
> so do a lot of things that are wrong.
>
> Martin
> --
> Martin Wessendorf, Ph.D.                   office: (612) 626-0145
> Assoc Prof, Dept Neuroscience                 lab: (612) 624-2991
> University of Minnesota             Preferred FAX: (612) 624-8118
> 6-145 Jackson Hall, 321 Church St. SE    Dept Fax: (612) 626-5009
> Minneapolis, MN  55455                    e-mail: [hidden email]
>

> But "correct horse battery staple" are composed of all common dictionary
> words, and it is not immune to dictionary attack. co01ho02ba03st04 is a
> little better.
>
> Better still, from a phrase like this:
>
> Go ahead, make my day.
>
> you get gammd from the first letters from each word, then throw in some
> variations, such as gAmmD0809
>
> Shoud be much better, easy to remember, hard to crack.

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/**wa?A0=confocalmicroscopy<http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy>
> *****
>
> On 8/11/2011 11:29 AM, Tao Tong wrote:
>
>  But "correct horse battery staple" are composed of all common dictionary
>> words, and it is not immune to dictionary attack. co01ho02ba03st04 is a
>> little better.
>>
>> Better still, from a phrase like this:
>>
>> Go ahead, make my day.
>>
>> you get gammd from the first letters from each word, then throw in some
>> variations, such as gAmmD0809
>>
>> Shoud be much better, easy to remember, hard to crack.
>>
>
> If we consider a 9 character password and assume that the characters can be
> one of 128 ASCII characters, we get a total of (128)^9 possible
> combinations, or 9.2 x 10^18.
>
> If we assume that English contains 50,000 "common" words that a dictionary
> would need to contain (--I think that would be a conservative estimate,
> since English has a total vocabulary of about 250,000 words and
> capitalizations, proper names, etc would all need to be considered) and
> limit our password to 4 words, we would get 6.3 x 10^18--i.e. almost the
> same.
>
> My sense is that the "four-words" strategy would probably work, as long as
> the resulting password were reasonably long and word order were truly random
> (i.e., not "big dog bit me").
>
> From what others have observed, it sounds as if the real place tackle
> password security is on the server: to limit logon attempts to one every 5
> seconds or so--short enough not to drive users nuts but long enough to
> hamper brute-force attacks.
>
>
> Martin
> --
> Martin Wessendorf, Ph.D.                   office: (612) 626-0145
> Assoc Prof, Dept Neuroscience                 lab: (612) 624-2991
> University of Minnesota             Preferred FAX: (612) 624-8118
> 6-145 Jackson Hall, 321 Church St. SE    Dept Fax: (612) 626-5009
> Minneapolis, MN  55455                    e-mail: [hidden email]
>

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> On 8/11/2011 11:29 AM, Tao Tong wrote:
>
>> But "correct horse battery staple" are composed of all common dictionary
>> words, and it is not immune to dictionary attack. co01ho02ba03st04 is a
>> little better.
>>
>> Better still, from a phrase like this:
>>
>> Go ahead, make my day.
>>
>> you get gammd from the first letters from each word, then throw in some
>> variations, such as gAmmD0809
>>
>> Shoud be much better, easy to remember, hard to crack.
>
> If we consider a 9 character password and assume that the characters can be one of 128 ASCII characters, we get a total of (128)^9 possible combinations, or 9.2 x 10^18.
>
> If we assume that English contains 50,000 "common" words that a dictionary would need to contain (--I think that would be a conservative estimate, since English has a total vocabulary of about 250,000 words and capitalizations, proper names, etc would all need to be considered) and limit our password to 4 words, we would get 6.3 x 10^18--i.e. almost the same.
>
> My sense is that the "four-words" strategy would probably work, as long as the resulting password were reasonably long and word order were truly random (i.e., not "big dog bit me").
>
> From what others have observed, it sounds as if the real place tackle password security is on the server: to limit logon attempts to one every 5 seconds or so--short enough not to drive users nuts but long enough to hamper brute-force attacks.
>
> Martin
> --
> Martin Wessendorf, Ph.D.                   office: (612) 626-0145
> Assoc Prof, Dept Neuroscience                 lab: (612) 624-2991
> University of Minnesota             Preferred FAX: (612) 624-8118
> 6-145 Jackson Hall, 321 Church St. SE    Dept Fax: (612) 626-5009
> Minneapolis, MN  55455                    e-mail: [hidden email]

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> I will be out of the office until the 23rd of August. I will be checking my emails periodically but I apologies for any delay in response that may be caused.
>
> For any urgent enquiries, please contact me on my mobile +39-3356878556
>
> Andrea Latini
> Crisel Instruments Srl, CrEST Srl

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
>> On 8/11/2011 11:29 AM, Tao Tong wrote:
>>> But "correct horse battery staple" are composed of all common
> dictionary
>>> words, and it is not immune to dictionary attack. co01ho02ba03st04  
>>> is a
> little better.
>>> Better still, from a phrase like this:
>>> Go ahead, make my day.
>>> you get gammd from the first letters from each word, then throw in  
>>> some
> variations, such as gAmmD0809
>>> Shoud be much better, easy to remember, hard to crack.
>> If we consider a 9 character password and assume that the  
>> characters can
> be one of 128 ASCII characters, we get a total of (128)^9 possible
> combinations, or 9.2 x 10^18.
>> If we assume that English contains 50,000 "common" words that a
>> dictionary would need to contain (--I think that would be a  
>> conservative
> estimate, since English has a total vocabulary of about 250,000 words
> and capitalizations, proper names, etc would all need to be  
> considered)
> and limit our password to 4 words, we would get 6.3 x 10^18--i.e.  
> almost
> the same.
>> My sense is that the "four-words" strategy would probably work, as  
>> long
> as the resulting password were reasonably long and word order were  
> truly
> random (i.e., not "big dog bit me").
>
> I quickly computed the same numbers, and even with a conservative  
> guess
> of 10,000 "common" words its (currently) impossible to break such a
> multi-word password. :-)
>
>
>> From what others have observed, it sounds as if the real place tackle
>> password security is on the server: to limit logon attempts to one  
>> every
> 5 seconds or so--short enough not to drive users nuts but long  
> enough to
> hamper brute-force attacks.
>
> I don't think this is the typical problem. Many server software  
> already
> limits login attempts (i.e. check the ssh MaxStartups config  
> parameter).
> If the software itself doesn't do it, there are firewalls and other
> traffic monitoring packages that can do the same thing (denyhosts,
> fail2ban,
> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/)
> .
>
> But I think the password attack discussed in the xkcd assumes that the
> attacker is already in possession of the encrypted password. A remote
> attack with 1000 guesses / sec on any reasonable web-service is not  
> very
> realistic. I.e. for a website, a small error message from the server
> might be 1k in size, leading to 1MB/sec traffic for the attack. Its
> unlikely that 1MB/sec login attempts go unnoticed, unless the Admin  
> has
> no monitoring whatsoever.
>
> I assume that the xkcd is rather concerned about when hackers steal
> encrypted passwords from 30,000,000 playstation network customers, and
> those (hopefully encrypted) passwords have not been salted
> (http://en.wikipedia.org/wiki/Salt_%28cryptography%29) :-)
>
> Just my two cents,
>
>    Mario
>
>
>> Martin
>> --
>> Martin Wessendorf, Ph.D.                   office: (612) 626-0145  
>> Assoc
> Prof, Dept Neuroscience                 lab: (612) 624-2991 University
> of Minnesota             Preferred FAX: (612) 624-8118 6-145 Jackson
> Hall, 321 Church St. SE    Dept Fax: (612) 626-5009 Minneapolis, MN
> 55455                    e-mail: [hidden email]

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Help Mr. IT Person,
>
> We use a COMPUTER to view our imaging results and can no longer gain  
> access to it due to forgetting passwords of insane complexity and  
> length or have been hacked because someone made the admin password  
> "Admin1234".
>
> Advice please...
>
>
>
> -----Original Message-----
> From: Confocal Microscopy List [mailto:[hidden email]
> ] On Behalf Of rjpalmer
> Sent: 12 August 2011 13:40
> To: [hidden email]
> Subject: Re: Password Strength
>
> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy
> *****
>
> Help Mr. Moderator!
> I must have subscribed to the wrong list!  I thought this list had
> something to do with microscopy, but apparently it is populated with
> computer geeks and game theorists who fancy themselves to be cyber-
> security experts.  All I can say is that the pay is MUCH better in
> that sector.  Maybe a change of career (or list) is warranted?

> *****
> To join, leave or search the confocal microscopy listserv, go to:
> http://lists.umn.edu/cgi-bin/**wa?A0=confocalmicroscopy<http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy>
> *****
>
> I'm not an IT person, nor do I play one on TV or lists, but here's a
> genuine solution, but not acceptable for folks who feel all computers HAVE
> to be connected to everyplace in the universe.
>
> Take the computer off the network.  Require your users to transfer data
> using removable drives.  Whiners can find another machine.  Still have
> problems with crap on your machine?  Water-board your users until someone
> 'fesses up.
>
> That's what I do.  It's worked fine, and since the time of floppy disks.
>  Haven't had to water-board anyone yet.
>
>
> On Aug 12, 2011, at 9:22 AM, Scott, Mark wrote:
>
>  *****
>> To join, leave or search the confocal microscopy listserv, go to:
>> http://lists.umn.edu/cgi-bin/**wa?A0=confocalmicroscopy<http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy>
>> *****
>>
>> Help Mr. IT Person,
>>
>> We use a COMPUTER to view our imaging results and can no longer gain
>> access to it due to forgetting passwords of insane complexity and length or
>> have been hacked because someone made the admin password "Admin1234".
>>
>> Advice please...
>>
>>
>>
>> -----Original Message-----
>> From: Confocal Microscopy List [mailto:CONFOCALMICROSCOPY@**LISTS.UMN.EDU<[hidden email]>]
>> On Behalf Of rjpalmer
>> Sent: 12 August 2011 13:40
>> To: [hidden email].**EDU <[hidden email]>
>> Subject: Re: Password Strength
>>
>> *****
>> To join, leave or search the confocal microscopy listserv, go to:
>> http://lists.umn.edu/cgi-bin/**wa?A0=confocalmicroscopy<http://lists.umn.edu/cgi-bin/wa?A0=confocalmicroscopy>
>> *****
>>
>> Help Mr. Moderator!
>> I must have subscribed to the wrong list!  I thought this list had
>> something to do with microscopy, but apparently it is populated with
>> computer geeks and game theorists who fancy themselves to be cyber-
>> security experts.  All I can say is that the pay is MUCH better in
>> that sector.  Maybe a change of career (or list) is warranted?
>>
>
> Robert J. Palmer Jr., Ph.D.
> Natl Inst Dental Craniofacial Res - Natl Insts  Health
> Oral Infection and Immunity Branch
> Bldg 30, Room 310
> 30 Convent Drive
> Bethesda MD 20892
> ph 301-594-0025
> fax 301-402-0396
>