![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
hirezHowever, first a word about brains.
I've been guzzling Omega 3+6+9 pills as an experiment for a number of months. I don't much care if it's just a placebo effect, but they've made a deal of difference to my powers of concentration and focus. However, the last couple of months have been a bit, well, 'meh', as the young people will have it. This appears to coincide with necking fish-based Omega pills, rather than the Linseed ones I was using before, and again since yesterday. I'm not sure what, if anything, it means. I'm probably just more awake because the weather's nice, but if I'm firing on all cylinders I'm not going to knock it.
Anyway. Generating good-quality passwords. Last night's brief bit of hackery demonstrated that there's no point trying to remember the administrator password on this Windows box, since it's quicker and easier to crack it directly from the hash-table. Assuming a dictionary-ish word with leetspeak number/character substitutions:
Times are deltas, and the :1 :2 bits are an artifact of the rubbish way that Winders stores passwords. The point being that the Guest account had a p/w of 'fnord' which is both short and reasonably obvious, the Admin account has a p/w that's in the 'obvious password list'... And the others that took circa thirty minutes rather than thirty seconds were all non-dictionary but pronounceable.
I've been a fan of pronounceable passwords ever since I had to solve this problem the first time, when we were running the ISP nearly ten years ago. Somehow I found this Java password generator, and I've used it on and off ever since. The benefits are obvious. It's a lot easier to remember something which sounds like a real word.
A quick scan of the Winders password-generator 'market' seems to indicate that they're all over-featured and horrible, apart from the one based on the code mentioned above. Unfortunately, the UI is in some non-standard colour set which makes my eyes itch. Can you still hack that sort of thing with a resource editor? It also comes sans source, which makes me slightly uncomfortable. Were I an enterprising cracker, I'd build a password generator that 'phoned home' every so often. I'd probably also get it to disguise its phoning as DNS traffic, on the off-chance that our target was clued enough to be watching the firewall logs.
So that's the generation of suitably obscure passwords sorted. How about remembering which one goes where and making sure you don't use the Paypal one somewhere else by accident? Password safe appears to be the tool to use.
Lord knows what Mac users do. Nothing important enough to require remembering lots of passwords, it would seem.
Edit: They read the first two comments and look smug. Very fine indeed.
KDE's kwallet also appears to do the right thing. I have to admit that I've not yet had to use it properly.
I've been guzzling Omega 3+6+9 pills as an experiment for a number of months. I don't much care if it's just a placebo effect, but they've made a deal of difference to my powers of concentration and focus. However, the last couple of months have been a bit, well, 'meh', as the young people will have it. This appears to coincide with necking fish-based Omega pills, rather than the Linseed ones I was using before, and again since yesterday. I'm not sure what, if anything, it means. I'm probably just more awake because the weather's nice, but if I'm firing on all cylinders I'm not going to knock it.
Anyway. Generating good-quality passwords. Last night's brief bit of hackery demonstrated that there's no point trying to remember the administrator password on this Windows box, since it's quicker and easier to crack it directly from the hash-table. Assuming a dictionary-ish word with leetspeak number/character substitutions:
0:00:00:49 + Cracked Administrator 0:00:00:00 + Cracked test5:2 0:00:00:00 + Cracked test1:2 0:00:00:27 + Cracked test6:2 0:00:00:33 + Cracked Guest 0:00:00:44 + Cracked test2:2 0:00:03:04 + Cracked test4:2 0:00:13:53 + Cracked test5:1 0:00:26:09 + Cracked test1:1 0:00:26:35 + Cracked test3 0:00:41:23 + Cracked test6:1
Times are deltas, and the :1 :2 bits are an artifact of the rubbish way that Winders stores passwords. The point being that the Guest account had a p/w of 'fnord' which is both short and reasonably obvious, the Admin account has a p/w that's in the 'obvious password list'... And the others that took circa thirty minutes rather than thirty seconds were all non-dictionary but pronounceable.
I've been a fan of pronounceable passwords ever since I had to solve this problem the first time, when we were running the ISP nearly ten years ago. Somehow I found this Java password generator, and I've used it on and off ever since. The benefits are obvious. It's a lot easier to remember something which sounds like a real word.
A quick scan of the Winders password-generator 'market' seems to indicate that they're all over-featured and horrible, apart from the one based on the code mentioned above. Unfortunately, the UI is in some non-standard colour set which makes my eyes itch. Can you still hack that sort of thing with a resource editor? It also comes sans source, which makes me slightly uncomfortable. Were I an enterprising cracker, I'd build a password generator that 'phoned home' every so often. I'd probably also get it to disguise its phoning as DNS traffic, on the off-chance that our target was clued enough to be watching the firewall logs.
So that's the generation of suitably obscure passwords sorted. How about remembering which one goes where and making sure you don't use the Paypal one somewhere else by accident? Password safe appears to be the tool to use.
Lord knows what Mac users do. Nothing important enough to require remembering lots of passwords, it would seem.
Edit: They read the first two comments and look smug. Very fine indeed.
KDE's kwallet also appears to do the right thing. I have to admit that I've not yet had to use it properly.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
On the Mac....
Date: 2006-02-11 03:55 pm (UTC)http://www.informit.com/articles/article.asp?p=31932&seqNum=1
(Predominantly a transient password store, but it's evolved with the .Mac syncing and secure notes to be a tad more useful)
But there's a slew of Mac utilities.... some even compatible with Password Safe like http://www.fpx.de/fp/Software/Gorilla/
Re: On the Mac....
Date: 2006-02-11 03:59 pm (UTC)http://www.apple.com/macosx/tips/password13.html
no subject
Date: 2006-02-11 04:50 pm (UTC)no subject
Date: 2006-02-11 05:00 pm (UTC)He didn't go into the details, but the gist of it was that all of the good that is done, is offset by the other chemicals that can't be separated easily[1].
Have you had a chance to use Password Safe yet? I've not gotten around to it, but a couple of the IT spodcasts I listen to have said that it's very good; decent security, usable and trustworthy.
/me is presently trying to download 42gb of rainbow tables, just to see how good lookups are in place of brute force. Athough I know they are quicker, it's a question of by how much.
[1] or possibly, economically.
no subject
Date: 2006-02-11 05:19 pm (UTC)no subject
Date: 2006-02-11 05:31 pm (UTC)I'm trying it now; it seems to function as advertised.
Rainbow tables. Yes.
no subject
Date: 2006-02-11 06:00 pm (UTC)I've been feeling a bit mixed between times of meh and times of energy over the last couple of months I think it cycles with the sunny vs dark grey days though!
no subject
Date: 2006-02-11 06:09 pm (UTC)no subject
Date: 2006-02-11 07:55 pm (UTC)no subject
Date: 2006-02-11 07:58 pm (UTC)You're probably right about the sunlight. However, I'm hoping I can keep this kind of work-rate up. I enjoy being like this.
no subject
Date: 2006-02-12 12:38 am (UTC)