Safety Chicken speaks to the nation about the terrible state of the Windows software ecosystem
However, first a word about brains.
I've been guzzling Omega 3+6+9 pills as an experiment for a number of months. I don't much care if it's just a placebo effect, but they've made a deal of difference to my powers of concentration and focus. However, the last couple of months have been a bit, well, 'meh', as the young people will have it. This appears to coincide with necking fish-based Omega pills, rather than the Linseed ones I was using before, and again since yesterday. I'm not sure what, if anything, it means. I'm probably just more awake because the weather's nice, but if I'm firing on all cylinders I'm not going to knock it.
Anyway. Generating good-quality passwords. Last night's brief bit of hackery demonstrated that there's no point trying to remember the administrator password on this Windows box, since it's quicker and easier to crack it directly from the hash-table. Assuming a dictionary-ish word with leetspeak number/character substitutions:
0:00:00:49 + Cracked Administrator
0:00:00:00 + Cracked test5:2
0:00:00:00 + Cracked test1:2
0:00:00:27 + Cracked test6:2
0:00:00:33 + Cracked Guest
0:00:00:44 + Cracked test2:2
0:00:03:04 + Cracked test4:2
0:00:13:53 + Cracked test5:1
0:00:26:09 + Cracked test1:1
0:00:26:35 + Cracked test3
0:00:41:23 + Cracked test6:1
Times are deltas, and the :1 :2 bits are an artifact of the rubbish way that Winders stores passwords. The point being that the Guest account had a p/w of 'fnord' which is both short and reasonably obvious, the Admin account has a p/w that's in the 'obvious password list'... And the others that took circa thirty minutes rather than thirty seconds were all non-dictionary but pronounceable.
I've been a fan of pronounceable passwords ever since I had to solve this problem the first time, when we were running the ISP nearly ten years ago. Somehow I found this Java password generator, and I've used it on and off ever since. The benefits are obvious. It's a lot easier to remember something which sounds like a real word.
A quick scan of the Winders password-generator 'market' seems to indicate that they're all over-featured and horrible, apart from the one based on the code mentioned above. Unfortunately, the UI is in some non-standard colour set which makes my eyes itch. Can you still hack that sort of thing with a resource editor? It also comes sans source, which makes me slightly uncomfortable. Were I an enterprising cracker, I'd build a password generator that 'phoned home' every so often. I'd probably also get it to disguise its phoning as DNS traffic, on the off-chance that our target was clued enough to be watching the firewall logs.
So that's the generation of suitably obscure passwords sorted. How about remembering which one goes where and making sure you don't use the Paypal one somewhere else by accident? Password safe appears to be the tool to use.
Lord knows what Mac users do. Nothing important enough to require remembering lots of passwords, it would seem.
Edit: They read the first two comments and look smug. Very fine indeed.
KDE's kwallet also appears to do the right thing. I have to admit that I've not yet had to use it properly.
I've been guzzling Omega 3+6+9 pills as an experiment for a number of months. I don't much care if it's just a placebo effect, but they've made a deal of difference to my powers of concentration and focus. However, the last couple of months have been a bit, well, 'meh', as the young people will have it. This appears to coincide with necking fish-based Omega pills, rather than the Linseed ones I was using before, and again since yesterday. I'm not sure what, if anything, it means. I'm probably just more awake because the weather's nice, but if I'm firing on all cylinders I'm not going to knock it.
Anyway. Generating good-quality passwords. Last night's brief bit of hackery demonstrated that there's no point trying to remember the administrator password on this Windows box, since it's quicker and easier to crack it directly from the hash-table. Assuming a dictionary-ish word with leetspeak number/character substitutions:
0:00:00:49 + Cracked Administrator
0:00:00:00 + Cracked test5:2
0:00:00:00 + Cracked test1:2
0:00:00:27 + Cracked test6:2
0:00:00:33 + Cracked Guest
0:00:00:44 + Cracked test2:2
0:00:03:04 + Cracked test4:2
0:00:13:53 + Cracked test5:1
0:00:26:09 + Cracked test1:1
0:00:26:35 + Cracked test3
0:00:41:23 + Cracked test6:1
Times are deltas, and the :1 :2 bits are an artifact of the rubbish way that Winders stores passwords. The point being that the Guest account had a p/w of 'fnord' which is both short and reasonably obvious, the Admin account has a p/w that's in the 'obvious password list'... And the others that took circa thirty minutes rather than thirty seconds were all non-dictionary but pronounceable.
I've been a fan of pronounceable passwords ever since I had to solve this problem the first time, when we were running the ISP nearly ten years ago. Somehow I found this Java password generator, and I've used it on and off ever since. The benefits are obvious. It's a lot easier to remember something which sounds like a real word.
A quick scan of the Winders password-generator 'market' seems to indicate that they're all over-featured and horrible, apart from the one based on the code mentioned above. Unfortunately, the UI is in some non-standard colour set which makes my eyes itch. Can you still hack that sort of thing with a resource editor? It also comes sans source, which makes me slightly uncomfortable. Were I an enterprising cracker, I'd build a password generator that 'phoned home' every so often. I'd probably also get it to disguise its phoning as DNS traffic, on the off-chance that our target was clued enough to be watching the firewall logs.
So that's the generation of suitably obscure passwords sorted. How about remembering which one goes where and making sure you don't use the Paypal one somewhere else by accident? Password safe appears to be the tool to use.
Lord knows what Mac users do. Nothing important enough to require remembering lots of passwords, it would seem.
Edit: They read the first two comments and look smug. Very fine indeed.
KDE's kwallet also appears to do the right thing. I have to admit that I've not yet had to use it properly.