From owner-freebsd-security  Wed Jun 19 14:48:10 2002
Delivered-To: freebsd-security@freebsd.org
Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131])
	by hub.freebsd.org (Postfix) with ESMTP id 98B5237B400
	for <freebsd-security@FreeBSD.ORG>; Wed, 19 Jun 2002 14:47:40 -0700 (PDT)
Received: from localhost (ryan@localhost)
	by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5JLlaP33773;
	Wed, 19 Jun 2002 15:47:36 -0600 (CST)
	(envelope-from ryan@sasknow.com)
Date: Wed, 19 Jun 2002 15:47:36 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
To: Eric F Crist <ecrist@adtechintegrated.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: RE: Password security
In-Reply-To: <002101c217a7$e3c28ab0$77fe180c@armageddon>
Message-ID: <20020619153600.U32240-100000@ren.sasknow.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Eric F Crist wrote to 'Ryan Thompson':

> Just curious, what kinds of things are you trying to secure that the
> basic password system hasn't worked for you?

Enough valuable company data to *not* trust staff passwords with an
effective 20-30 bits of entropy. :-)

Even most "well-chosen" passwords that can be remembered have very
limited entropy. (With the exception of good approaches like that
suggested by Bill M).

The point of my original post (which is being rather clouded by some
of these very interesting replies :-) was to do a little (or a lot)
better than the passwords that users typically pick, with the use of a
human-readable generated token system, as opposed to simply
remembering a shared secret that can be broken with a dictionary
attack plus brute force in a matter of hours.


> I personally have done work for people like the Minnesota Dept of
> Agriculture in this area for building and network security, and it
> has worked wonderfully for the last 4 years. Just curiousity on my
> part.  ;)

Understood :-)

- Ryan

-- 
  Ryan Thompson <ryan@sasknow.com>

  SaskNow Technologies - http://www.sasknow.com
  901 1st Avenue North - Saskatoon, SK - S7K 1Y4

        Tel: 306-664-3600   Fax: 306-664-3630   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message