[clug] [OT] all text passwords == secure?

Sam Couter sam at couter.id.au
Mon Aug 27 06:23:21 MDT 2012

Scott Ferguson <scott.ferguson.clug at gmail.com> wrote:
> But you're not 'most public servants'. i.e. not merely a computer
> operator. ;-)


> I use john (the ripper) for a similar thing.

That's exactly the tool we used at the time, and I've used it since for
"academic" purposes.

> Most likely there is also a policy in place that locks out attempts
> after a number of failures within a given time period.

Yes, which means the service desk is kept busy unlocking accounts all the
time, especially for developers who have accounts in production and
development trust domains and applications that store authentication
credentials (username and password) instead of a pre-authenticated token
such as a Kerberos ticket. The limit should be much higher, possibly
unlimited in the dev domain.

> I've seen lots of presentations for biometric and presence based
> authentication systems... which are much hyped. But every one I've
> looked at had gaping holes - and significantly higher costs.

Biometric systems have fundamental problems. Once they've been
compromised, it's impossible to change the authentication secret. I'm
not getting Face/Off style surgery just because somebody worked out how
to break the facial recognition system. My face is also public
information. Anybody with a good enough facsimile will pass. It's also
not exactly the same with every scan, so it's no good as a cryptographic
key, for example.
Sam Couter         |  mailto:sam at couter.id.au
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/linux/attachments/20120827/86378fc0/attachment.pgp>

More information about the linux mailing list