decoration decoration
Stories

GROKLAW
When you want to know more...
decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.


You won't find me on Facebook


Donate

Donate Paypal


No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.


What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments


Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Pure Gold | 248 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Pure Gold
Authored by: briand on Tuesday, August 21 2012 @ 06:48 PM EDT
Also, consider using (or offering to your users if you are an admin), something like the "xkcd.com/936" technique.

I have made it available as a perl module, Crypt::PW44, which is on the CPAN network. at this link

It generates 44-bit passwords using 4 random short words from the english language, specifically from the S/KEY dictionary.

It can be used as a cgi-bin script (to present random passwords for users to use), or used in any perl script for creating passwords.

The hard-core folks might want to use 66-bit passwords, which is what S/Key generates.

Having a random password is the key, don't use one base password with appended guessable text!!!

If you need to store your passwords, use a strong key for the password file, and super-strong passphrase.

briand

[ Reply to This | Parent | # ]

    SHA1 is probably good enough
    Authored by: Anonymous on Wednesday, August 22 2012 @ 01:14 PM EDT
    Even MD5 is probably good enough. As far as I know, there is still no practical
    way of finding a string with a given MD5 hash value. If you believe otherwise,
    please prove it to me. The MD5 hash of my password is
    2dd2b74b6790710118ed704aa3066760. What is my password?

    Obviously, if I were setting up a new system I would choose a stronger hash
    function than MD5 or SHA1, but the use of those weaker hash functions in
    existing password systems doesn't really create a significant risk. People don't
    crack passwords by reversing the hash function; they crack passwords by guessing
    them. My password (the one whose hash I gave above) is not easy to guess.

    [ Reply to This | Parent | # ]

    More recommendations for sites
    Authored by: Anonymous on Wednesday, August 22 2012 @ 01:37 PM EDT

      A: Stop putting a max limitation on passwords.
      B: Upgrade your software so special characters can be used.
    It's sad to see some sites are still limiting passwords to "between 8 and 12 characters" and not allowing special characters to be used.

    Better to open the password to be able to use a pass phrase so a person can easily have a 30 (or more) character phrase with a nice mix of upper and lower case combined with special characters.

    RAS

    [ Reply to This | Parent | # ]

    Groklaw © Copyright 2003-2013 Pamela Jones.
    All trademarks and copyrights on this page are owned by their respective owners.
    Comments are owned by the individual posters.

    PJ's articles are licensed under a Creative Commons License. ( Details )