<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Hi David,<br>
<br>
I posted the original message on this topic. Actually, the party never
got started very well. The discussion drifted into whether pass
phrases are better (sometimes they are) or whether password cards are
better (sometimes they are). However, the merits of the OTG system for
it's intended purpose were never discussed in any depth. The intended
purpose is to allow average users to easily create moderate length
cryptographically strong passwords that are unique for each site they
visit. The sites in question, many times, will not accept long complex
passwords. Furthermore, the system allows the user to create said
passwords without using anything other than the piece of paper with the
grid on it. All they need to traverse the grid is the domain name of
interest. They don't have to remember any key code to get them to
their password (as in pass cards), and they can use the password in
places where a pass phrase will not be accepted, unless it's a very
short pass phrase. As I mentioned in one of the posts, I deal with two
sites which will only accept 8 character passwords, so even the default
method of the OTG system which generates a 12 character upper / lower
case password won't work. If desired, entropy of the final password
can be increased by adding length, symbols, or numbers. I am currently
evaluating all these methods to go to a system of having one password
for every website. Not sure what I'm going to do yet. I may end up
using something like OTG to generate some passwords and something like
LastPass to enter them into websites automatically. Then I can save
the grid for later reference. At sites where pass phrases of decent
length will work, I'll probably use those. As I see it, the pros and
cons for each method are:<br>
<br>
* Pass Phrases - easiest to remember, if you have a dozen - probably
still have to write down, long ones or ones with symbols won't work for
many sites, good entropy if they're long, if attacker knows you're
using words separated by spaces, his search for your pass phrase
becomes much easier<br>
<br>
* Password Cards - somewhat easy to remember a key code, if you have a
dozen - probably still have to write key codes down, shorter ones
should work for most sites, longer ones won't<br>
<br>
* OTG - nothing to remember - use the domain name, if you have a dozen
- generate as needed, somewhat tedious, shorter ones should work for
most sites, longer ones won't<br>
<br>
Sincerely,<br>
<br>
Ron<br>
<br>
<br>
On 9/5/2011 10:14 PM, David Hillman wrote:
<blockquote
cite="mid:CA+f4BnMOmV_jYF+SfY9vysJ0XbjB=R-L=Jk60D2x5bKKjMaWKg@mail.gmail.com"
type="cite">I guess I came too late to the party. I read "Off The
Grid" and wondered how long it would be before really well-informed
people poked holes in the whole idea. To me, it looks like it'll do a
better job of creating passwords than most of the user population (who
might find it to be too complicated). The rest will have to be handled
by the system administrator with a defense strategy that consists of a
mile-wide moat filled with alligators, rocks and burning faeces.
Intruders tend to shy away from that level of stinkiness. Now that I
have contributed, I can go back to reading about Single Packet
Authorization (SPA).
<div>
<div><br>
<br>
<div class="gmail_quote">On Sun, Sep 4, 2011 at 8:56 PM, Michael H.
Warfield <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>></span> wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Sun, 2011-09-04 at 19:49 -0500, Pat Regan wrote:<br>
> On Sat, 03 Sep 2011 20:06:56 -0400<br>
> "Michael H. Warfield" <<a moz-do-not-send="true"
href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>> wrote:<br>
><br>
> > The forced changes provide no benefit and yet add that little
tiny<br>
> > extra opportunity of additional threat. And, yes, there are
password<br>
> > sniffers that will fire on password changes so they follow
your<br>
> > changes as you make them. Factor it in how you will.<br>
<br>
> A company I used to work for about a decade ago had a 60 or 90 day<br>
> schedule on their forced password changes. The requirements for
the<br>
> passwords weren't very strict, either.<br>
<br>
> Most of the customer service people ended up teaching each other
the<br>
> same password scheme of current month+year (jan99, for example).
Since<br>
> those passwords were good for 60 or 90 days, you could walk out on
that<br>
> call center floor and guess almost anyone's password in 2 or 3
tries.<br>
<br>
</div>
In my talks on this, I try to dance around it a little bit without being<br>
as blatant as that, but you are absolutely correct. Forced expiration<br>
and password changes invariably force most users into predictable<br>
patterns which are of no benefit and often just the opposite.<br>
<br>
The other effect, when password strength/complexity checkers are not<br>
enforced, is the "jumping in front of the bus effect". Small but real,<br>
it's the case where a user is forced to change his password and he<br>
changes it to one that the attackers are using to guess... Powned...<br>
<br>
> Pat<br>
<div>
<div class="h5"><br>
Regards,<br>
Mike<br>
--<br>
Michael H. Warfield (AI4NB) | <a moz-do-not-send="true"
href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a>
| <a class="moz-txt-link-abbreviated" href="mailto:mhw@WittsEnd.com">mhw@WittsEnd.com</a><br>
/\/\|=mhw=|\/\/ | <a moz-do-not-send="true"
href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a>
| <a moz-do-not-send="true" href="http://www.wittsend.com/mhw/"
target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best
of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of
it!<br>
</div>
</div>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a moz-do-not-send="true" href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Ale mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ale@ale.org">Ale@ale.org</a>
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT c3energy.com
</pre>
</body>
</html>