Results tagged “security”

  Good Password Checker

7 Jun 2012

xkcd_password_check.jpgxkcd illustrates the biggest problems I have with web-based passwords, namely that they are easy to forget, and easy for brute-force breaking. What we really want is something that's easy to remember, but difficult to guess, and difficult to brute-force. That means adding entropy. That means, a long password is better. Especially if someone's looking over your shoulder.

Most password strength checkers look only for the attributes mentioned in the above comic, and do nothing but to make us greate passwords that either:

a) we soon forget

or b) someone else can easily hack

You know it's bad when 4 random words put together form a better password than all the ones you've previously been using, or that you are forced to use on a website.

 

Vista-password

Vista-password (Photo credit: Wikipedia)

Here is a much better password checker that integrates entropy as part of its check. It comes from this Original Site

People wonder if their password is a good password. I often come across two distinct groups of people. The first would fall into a "just use any word" category, which is a very bad practice for picking passwords. The second group will mix in a few numbers in order to make the password a lot harder to guess. But, how do you know if you have a secure passphrase?

 

Good passwords / passphrases:
... should be 8 characters or longer, which forces you to use multiple words or extra symbols.
... should have upper case, lower case, symbols, and numbers; or at least three of those four groups.
... should not be a common word and should not be a common phrase.
... should not contain a date, a name, or other things that can be associated with you.
... should be created randomly or semi-randomly.

This password checker will gauge your password and give it a score based on how good of a password it is. It will let you know if you picked a common password (don't do that!) and it will also take into account the probability of letters landing close to each other. For instance, "Q" is almost always followed by "U", so your password's score won't increase much when you type in the "U".

I use cryptographically-minded descriptions to describe how weak or strong a password is. For email accounts, passwords to log into your personal machine, and other things that don't require the most strict authentication, feel free to use a password that is deemed "Weak" or "Reasonable".

This runs completely in your browser and sends no information to anyone. If you are paranoid, you can read the source code, unplug your machine from the internet, or just use a password that is similar to yours. Also, please keep in mind that this is an estimate of how strong your password is, and there is no guarantee that the information shown is correct.





Enter your password or passphrase here:

     

Loading ...

  • Warnings are shown if you enter a common password.
  • Warnings are shown if your password is very short (4 or less characters) or if it is short (less than 8 characters)
  • Password strength is determined with this chart, which might be a bit of a stretch for a non-critical password:
    • < 28 bits = Very Weak; might keep out family members
    • 28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
    • 36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
    • 60 - 127 bits = Strong; can be good for guarding financial information
    • 128+ bits = Very Strong; often overkill
  • The number of bits listed for entropy is an estimate based on letter pair combinations in the English language. To make the frequency tables a reasonable size, I have lumped all non-alphabetic characters together into the same group. Because of this, your entropy score will be lower than your real score when you use several symbols.
  • For determining the character set, letters are grouped into a-z, A-Z, numbers, symbols above numbers, other symbols, and other characters. If your passphrase contains a character from the subset, that subset is added to the pool, increasing the size of the character set and increasing the amount of entropy in your password.
For further information, try NIST's Special Publication 800-63, Electronic Authentication Guideline, Appendix A: Estimating Password Entropy and Strength. Also, C.E. Shannon's A Mathematical Theory of Communication.

If you really like this program and you want to include it with your software or on your site, you can download it here: passchk.zip (34 k). The code is licensed under the GPLv3, which may be of importance to note if you are including it as part of your custom software.

Related articles
Enhanced by Zemanta
0 Comments

Posted by Zuckervati on Thursday, June 7, 2012 at 10:39 AM

Filed in and tagged , , , , ,

  How effective is aviation security?

4 Jan 2010

Having just gotten back from a grueling 4-leg trip to Hawaii, along with numerous air flights in-between islands, I have to say that security was less on my minds than was crashing from pilot error, mechanical failure, or flying through a thunderstorm (as almost happened out of Oahu). First on my list of concerns was the hassle of getting through security; I had nothing to hide, but I was nervous like a criminal about to be caught for smuggling a pound of blow in my rectum. And it was all about shoes, belts, laptops, SCUBA equipment, and shampoo containers in a Ziploc bag.

The best defenses against terrorism are largely invisible: investigation, intelligence, and emergency response. But even these are less effective at keeping us safe than our social and political policies, both at home and abroad. However, our elected leaders don't think this way: They are far more likely to implement security theater against movie-plot threats.


A "movie-plot threat" is an overly specific attack scenario. Whether it's terrorists with crop dusters, terrorists contaminating the milk supply, or terrorists attacking the Olympics, specific stories affect our emotions more intensely than mere data does.


Stories are what we fear. It's not just hypothetical stories -- terrorists flying planes into buildings, terrorists with explosives strapped to their legs or with bombs in their shoes, and terrorists with guns and bombs waging a co-ordinated attack against a city are even scarier movie-plot threats because they actually happened.

Is aviation security mostly for show? - CNN.com

1 Comments

Posted by Zuckervati on Monday, January 4, 2010 at 10:16 AM

Filed in , and tagged , , , ,

  Linux Rooted in Fiction: ParanoidLinux

6 Oct 2009

Interesting point. Also, it brings up a very good point referenced in the Little Brother novel: what happens when a government organization puts out its own version of ParanoidLinux in an attempt to snare those who think they need it?

It's not the "there are already too many distributions" argument that is unsettling. It is more that the project feels a like a waste of human resources -- why is it necessary to put the applications and services designed to protect anonymity, to encrypt files, to make the user nameless and faceless, all together, in one distribution? Let's think in a truly paranoid manner. Wouldn't it be far easier for a nefarious government organization to target that distribution's repositories, mirror that singular distribution's disk images with files of its own design, and leave every last one of that distribution's users in the great wide open? It would take more effort, it would seem, for a despotic goverment to hit every last repository of every last distribution with a bogus security application.

Linux Rooted in Fiction: ParanoidLinux

0 Comments

Posted by Zuckervati on Tuesday, October 6, 2009 at 4:02 PM

Filed in , and tagged , , , , ,

1
Close