What Was New Jan. - Mar. 17 2007

March 14, 2007: I've calculated the number of possible 10, 11, and 12 character Words Only passwords, as well as the matching cracking times (assuming the attacker knows such passwords are in use and uses a custom programmed attack). These have been added to the new Pattern Samples page. Calculating the longer passwords requires that the calculation be fully automated. When I've written the necessary program, I'll post the results.

March 13, 2007: The Password Generator has had a major facelift. Passwords diplay centered and much larger. Most of the sample patterns have been removed, and those that are left are rearranged into a more readable format, each with a brief description. All the removed pattern samples, plus several new ones have been moved to an entirely new Pattern Samples page. The patterns have been placed into five groups, each of which has a sometimes substantial introduction. Each sample pattern has a usually brief description, that often includes the non default settings and what they do. While the original Instruction page remains largely as it was, its role is that of a technical reference. The new Pattern Samples page is more of a tutorial about the kinds of passwords created by the password generator and how to control the options to get different types of passwords. The whole page has an introduction titled General Considerations. In a very condensed manner this covers some of the key topics discussed in the Good and Bad Passwords section. The issues regarding random passwords versus structured passwords are addressed.

March 2, 2007: The Password Generator has a totally new Words Only option. Actually option is an understatement. Words Only is a completely new password generator, with totally separate logic for creating passwords, that shares the user interface of the older pattern based password generator. Words Only creates passwords from a list of two to five character words and names. Once combined you'll be surprised how difficult it is to find the original words. Words Only will not allow any password shorter than 10 characters and defaults to 11 to 13 characters. Shortly I will write a new page that explains the logic behind Words Only, which seems to run counter to nearly everything I've said about passwords. Every password generated by the Words Only option will fail the Password Evaluator with it's default options. I suggest setting the dictionary word length range to 7 to 10 rather than the default 3 to 7. It may also be useful to raise the "Maximum Sequence Characters," the "Maximum Repeat Characters," and the "Maximum 2 Character Pattern Repeats," each from 2 to 3 as needed. The defaults are aggressive settings, and while they may matter in a short password, they will have little impact in passwords 10 characters and longer. The Password Generator Instructions have a fair discussion of Words Only and it's options and capabilities.

March 2, 2007: The Table of Times to Crack Passwords has been completely updated to account for the change in computer speeds since this was originally written in 2001. It has also been extended to 14 character passwords to show what can be done with all lower case passwords.

February 23, 2007: For the past several weeks I've been actively working with the site for the first time in almost 5 years. There are no big changes yet, but I'm working on some ideas that may be interesting, if I can get past some very bothersome issues related to how a small number of users are misusing and abusing the site.

Three changes in order of importance are 1) actions taken to limit bot or automated access, a close 2) changes to the Terms of Use, and 3) modest updates to the Password Generator. This last is the only one that I consider a positive development.

Web Bots: In January I had two days with approximately 10 times my normal traffic volume and I started to take steps to limit the heavy bot activity. When I got my latest bill in early Feb. my hosting costs just about doubled. I make no money form this site and I won't pay for people to play with electronic toys that grab web pages that are not being read. From the first day I made GeodSoft.com available on a public IP address in 2000, my Terms of Use have clearly stated that only public search engines that respect robots.txt and restrict their retrieval rates are allowed to use any programmed or automated access to retrieve GeodSoft web pages. This isn't the first time I've taken steps to limit access but it's the first time in several years, and by far the largest and most aggressive.

Users must understand that this does not only apply to wget or any other dedicated tools for retrieving pages automatically. It also applies to browser add ons such as Firefox's Fasterfox. The idea of grabbing all the URLs on a page while you read a page, so the next page you go to is already in your browser is obscene. This is the biggest offense to the Internet since spam. It's pure selfishness. My pages average over 40 links per page. No matter what path you take you can never read but a fraction of the pages that are loaded. I'm paying out of my pocket for each of these pages.

If all web browsers were to adopt this strategy, it would increase the browsing load by ten or so times and totally alter network dynamics. Everybody's browsing would be noticeably slower. Email and web browsing account for the largest share of Internet traffic. If you increase one of these by an order of magnitude, everyone on the Internet will feel the effects. For those who have been around for a while, remember how the Internet used to bog down. If prefetch becomes a common browser strategy, that is what we will see again. The net is fast today because of the abundance of fiber optic cable installed in the late 1990's, but a massive increase in browsing loads could quickly alter this. Anyone who uses Fasterfox or a similar prefetch product on Geodsoft can expect to permanently loose access to GeodSoft in a few days, at most.

I have developed a series of scripts that slice and dice each day's logfile into highly selected views, with all the activity by one IP segregated into two views that tell me everything that matters. The highest levels of activity are looked at first and I can go as deep as I care to. The first view normally allows my to make a preliminary, but usually correct, analysis in about two seconds. It makes no difference whether 10 or 200 pages have been accessed. It does not matter what the user agent is, or whether or not robots.txt was accessed. It doesn't matter whether 10 pages are accessed in three seconds or 10 hours. If you summarize and display the right information in the correct order, automated access just does not look like human browsing. Finding the bots is trivial. The time consuming part is identifying the hundreds of legitimate search engines and separating those from individual users not authorized to use automated access, and making the borderline calls.

If I find an individual user accessing even less than 10 pages via an automated tool, I will block access to the site one way or another. Any one who wants to, can see what the blocked page looks like. I have cut my overall traffic levels dramatically from two or three weeks ago. I try to block with robots.txt or by user agent first, if that appears practical, but have no hesitation to block by IP address. I don't typically block a specific IP address but normally a range that I think will be large enough that even with a new address from DHCP, the offender likely will not have access. That means some innocent parties may be blocked. If you find yourself blocked and you know you are innocent, follow the instructions on the blocked page and I'll see what I can do. I've blocked some individuals, as well as some small companies, and two medium size European ISPs.

Terms of use: I've made several changes to the Terms of use. In late Oct. 2001, I decided that there was nothing I could do to stop people from copying my content. I'd seen several FAQs and other documents in multiple locations with credits to the author. I thought that if I switched to open content, and someone using my content could be completely legal by simply including my copyright and linking back to my site, this would be an obvious choice, rather than risk any copyright infringement actions. I was wrong.

I don't actively search for copies of my work but recently, by accident, I stumbled across a copy of one of my pages. The page had virtually all the unique contents of one of my pages, without any suggestion that it came from somewhere else. Since I found and acted on this one first, the hosting service has already blocked access to this page. Subsequent searches showed this page to have been copied thirtysome times. I've only looked at about six so far and of those only one made even a minimal effort to comply with my license.

If you've copied one or more of my pages, and not paid careful attention to the terms of the GeodSoft Publication License, do us both a favor and take it/them down. I'm not in a forgiving mood. Since Version 1.3, the GeodSoft Publication License has included section "V. VIOLATIONS Any person or organization that reproduces or distributes GeodSoft content in violation the terms of this license forfeits all future rights to display GeodSoft content under the terms of this license." and that expresses my sentiments quite accurately.

There are many changes between 1.3 and 1.5.01; 1.4 through 1.5 only lasted four days. GeodSoft.com is now covered by a simple and fairly common form of "shrinkwrap" license. By using the site you agree to its terms. This adds contract law to copyright law. Even if a copy you made may have been legal under copyright law, but violates the terms of use, there is a good chance you have no rights to it based on contract violation. I've explicitly protected "fair use" in the License. People can still take limited sections, and criticize me or what I say. You still have to acknowledge the source as it makes no sense to criticize an unknown author. Read the terms carefully if you are going to use anything from the site. I do have some very specific linking requirements in the expanded Fair Use section. Copyright law does not provide for anything like this; I believe contract law does, but it hasn't been tested in court yet, that I know of.

The long copyright notice and so called "incorporation by reference" paragraph has two changes. The following "These terms are subject to change. Distribution is subject to the then current terms," was in 1.3. "Then" before "current terms," was removed because it was potentially ambiguous. I thought it was obvious that it applied to "then current", i.e., today's or the newly modified terms, but realized there was an alternative read, though somewhat far fetched. The new the statement is simpler and unambiguous.

Immediately following this, "or at the choice of the distributor, those defined in a verifiably dated printout or electronic copy of http://GeodSoft.com/terms.htm at the time of the distribution." has been replaced by "or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or terms.pl) from the time of the distribution." There has always been the problem of how you verifiably date a printout or electronic copy. For printouts it's hard to think of a way short of having it notarized that works reliably. For an electronic document, generally there is no way to stop the altering of time stamps or changing of a computers time.

There is one way that comes close. A digital signature, except that the time on the signing computer can easily be altered, at the time the digital signature is created. I have created a second part to insure the digitally signing computer uses the correct time. Now the terms themselves have a time stamp. Currently the terms are a Perl script. Later when I have time, I'll make them an .shtml document. It's not a simply formated date and time; its a coded 20 digit integer. A computer savvy person with some time can probably figure it out, but should not try. Changing the Terms time stamp voids the terms and any right to ever use any GeodSoft content.

The Term's time stamp and digital signature time stamp must be within five minutes of each other. This should not be a problem as signing a document tales about 30 seconds, mostly depending on how long it takes you to enter your password or passphrase. The GnuPG comand is:

 gpg --clearsign filename

and you will be prompted for your passphrase. You can pretype the command and practice with no file, and you'll just get an error message that the file does not exist. Refresh or reload the Terms page just before saving, and you should be able to do the whole process in 45 seconds.

gpg will create a new file named:

 filename.asc 

This contains the original file, three separator lines and at the bottom, between the last two separator lines, a few lines of random looking characters. This is the signature. This file must never be altered in any way, which is another reason for putting it on a write once CD or DVD. If a single byte is ever changed in the signed file or signature, the file will not verify. Having a time synchronized computer insures that the time stamps will be consistent. If the computer is not time synchronized, then you should check your computer's time against a reliable source and set it to the correct time. If your computer is not time synchronized, and you don't check it could easily be off by five minutes.

If there is ever any question about any pages you might be using, email a copy of the signed Terms, as an attachment, with your UTC offset, and I can verify you have valid terms, and will know the date range they apply to. Include a list of pages you that you are displaying or otherwise distributing, and the dates you downloaded or saved these pages. Include URLs where I can find the material, if I do not already know, and I can verify that any pages you have were from the period covered by your signed Terms. Legally the Terms apply to materials not distributed on the Internet, but unless someone reports illicit use, or by some freak chance, I stumble on an improper hardcopy, I'm not likely to know of such use. I'll deal with such a situation, if and when it arises.

If you have multiple pages from periods, that span one or more GeodSoft Publication License version changes, you will need a digitally signed copy of each license version. If you used or put on a web site files from different times, but all within a single period covered by the same version of the GeodSoft Publication License, then you need only one signed copy of the terms. Version 1.5.02 will be a different version than 1.5.01, even if the important or directly relevant terms have not changed. After a few more edits the Terms should become stable again. Version 1.3 was in effect more than three years. Now is not a good time to use Geodsoft content as I've been editing the terms almost daily.

If there is any difference between the copyright notice on a content page, and the one in the Terms of Use, the one in the Terms of Use must replace the one on the content page. Usually I keep the files in sync with the Terms of Use, but now that I'm on a hosted system with only ftp access, after I run the script to change the copyright notice, which is easy, I have to upload every file. Even doing a directory at a time it's tedious. When I managed my own servers I just made a tar archive and extracted the new files over the old on the server sysems. I won't update the content files copyright notices until I'm confident I have stable Terms.

Digital signing is simple if you use PGP or GnuPG, but not if you don't, and most people don't. The new terms mean, if you want assured continued access to specific web pages and content, you cannot make second or later generation copies, that is you cannot copy from anyone except GeodSoft because GeodSoft is the only source for a properly time stamped copy of the Terms of use. Someone else's digitally signed Terms of Use are of no use to you because you cannot also be the owner the key that signed the Terms of Use page. The new terms require that the "distributor", typically a webmaster or web site owner, own the digital key used to sign the Terms of Use.

Basically the same issue exists with pages copied between Oct. 2001 and Jan. 2007. All the GeodSoft Publication Licenses from 1.00 through 1.3 stated "a verifiably dated printout or electronic copy." Clearly I would accept a notarized printout. I believe I'd accept, except when something on their web site or in any communications that had transpired has made me suspicious or their honesty, a sworn statements similar to the ones required in the Digital Millennium Copyright Act infringement notices. I'd basically be inclined to trust those who appeared to have made an honest effort to comply with the Terms and to distrust those who took material with no acknowledgment of any kind. These latter, of course have clearly violated virtually all the terms, and the only question is how to most quickly have the material removed or made inaccessible.

In either a snail mail letter or a digitally signed email (I don't have fax) "I swear, under penalty of perjury, that the attached photocopies of the GeodSoft terms.htm web page printouts display the correct system date (and time) when the original printouts were made, that this was the actual date (and time with no more than a 5 minute margin of error), that the system time on the computer from which original printouts were made has never been altered to create to create false time stamps or invalid dates, and that neither the printouts nor any photo copies have ever been tampered with to change the appearance of the date (and time) displayed. I participated in or superviced the just described activies and know them to be true from firsthand knowledge." The precise wording may vary provided the material facts sworn to are the same. Suitably altered wording could be used with a hand written date on printouts, or a date stamp.

For someone who had an electronic copy of the terms, and sent me a copy on a CD with a letter, or a tar file (or other format which preserved file dates and attributes, and which I could easily access) as an attachment to a digitally signed email with the following statement: "I swear, under penalty of perjury, that the attached terms.htm file has the creation and or modification date and time identical to that which it had when I first downloaded or saved it. The computer's time was accurate to within a few minutes of the real time and has never had its system date or time altered to create false time stamps or invalid dates. When it has been necessary to move the file on a system or to a different system, any move, copy, backup, or similar utility was set to preserve the original creation and or modification date and time and no utility has ever been used to alter or manipulate any creation and or modification date or time. I participated in or superviced the just described activies and know them to be true from firsthand knowledge." The precise wording may vary provided the material facts sworn to are the same.

While I could accept such sworn firsthand accounts to be sufficient to establish "a verifiably dated printout or electronic copy" I could never accept second or third hand accounts such as "I received this printout (or file) from John Smith who swore to me that it had an accurate date." So regardless of whether it's "verifiably dated" or "digitally signed" only persons directly involved in the process of saving, printing, or signing an original Terms of Use web page can be assured of indefinite access to the GeodSoft files or content they use.

Others can copy from non GeodSoft copies, but they will always be bound by the current License terms, and the specific copyright notices on each page. The practical implication is that, I can change the copyright notice at the bottom of any specific page, from the long version to a standard exclusive rights copyright notice, and it is no longer open content. The few who have abided by all the terms can continue to use such GeodSoft content but others may have to remove content that was previously acceptable but now fails to meet the current Terms of Use. "Open content" is really not the right description for the GeodSoft Publication License; something along the lines of "limited use" or "defined use" might be more appropriate.

I have no general plans to apply a standard copyright notice to GeodSoft content, but I have done it to the page I've found so frequently copied. Anyone who has followed all the terms as they existed at the time they copied a page has nothing to worry about. My first concern is getting credit for work I've done, and second to make it easy for people to get to this site. I don't really care about aggregate traffic figures which cost me money. I care about readers who think I have something to say regarding the topics that are still relevant. The many visitors who come to the site from a search engine and take a quick look at one page, or skim several spending a few seconds on each are of no interest to me; I wish there was a way to keep them away.

To understand how I feel, is easy if you are in a similar situation, but if not then think about getting robbed. Don't think of something that you can go to a store and replace, think of someone stealing your family photo albums or wedding ring. That gets closer but still isn't quite right. In one sense I still have all the pages, but in another sense, everyone who has seen my pages on someone else's site, with no mention of George Shaffer or GeodSoft, thinks that site owner wrote the material. It's like part of your reputation has been stolen or diminished. And if someone sees both sites, they may wonder who copied who. It's a very emotional experience.

The other Terms changes are mostly minor. Most remnants that still referred to to the multiple mirrored sites I used to host were removed. Collective work authors have some latitude about where the copyright notice goes. Fair use commentators and those using just a small amount can now use the greater of three paragraphs or 500 words rather than the lesser.

One other thing that is not minor, the web pages have not been updated; the copyright notice must come from the Terms, not the page being copied. I'll fix this when I can.

The Password Generator has gotten a few tweaks. I added a hexadecimal class and some new patterns, with brief explanations. Just to show that it could do "passwords" like Steve Gibson's (grc.com) really long random strings, I added a pre defined pattern that shows the settings necessary to produce these. Mine could do these four or five years before Steve Gibson's was up but I never saw the point. These could only be used with cut and paste, and if you cut out pieces as he suggests, its not really random any more, since you're most likely to pick pieces that are easiest to remember. Randomness is greatly overestimated in creating passwords. What you want are uncrackable passwords, preferably that you can remember, and there are various approaches to achieving that.

If I thought pure randomness was the most important factor in passwords, I would never have started with a strongly pattern based password generator which the original was. With this one you can still build very pattern oriented passwords, its just that you can select any kind of pattern you like. Or you can have "sloppy" patterns, or as most of the newly added pre defined patterns show, no pattern at all. The only thing that Steve Gibson's "password generator" has that mine doesn't, and I would like, is SSL. I'm at a hosting service Zipa.com, that has done an excellent job at bargain prices, but part of where they make their money is extras, and SSL is an extra, that would greatly increase my hossting costs.

There is one change that I made to the password generator that no one will ever see. I changed the random seed algorithm. What I'd used before was a minor variation on one of the recommended random seed generators in the Perl documentation. The common recommendations suggest some bit operation on time and process number. I didn't much like the output of the suggested one, so I tinkered with it and got what I thought was a much wider and unpredictable range of seed values. Most of my testing was done on a Windows machine that had randome but a relatively small range of process IDs. I don't recall testing it on Linux. Something caused me to take a look at it recently, and I did not like the results on Linux.

I spent a couple weeks working on new algorithms until I found one that generates only a few duplicate seeds out of 1 million and these were always well separated. I got this to work equally well on an OpenBSD machine and a Linux machine. For those who don't know, Linux generates process IDs sequentially and BSDs randomly. Windows 6 to 8 years ago generated IDs fairly randomly but from a tiny set, almost all under 1000. Linux and BSD go to 32K or 64K. I did an enormous amount of testing and came up with a somewhat CPU intensive process. Two different ps listings are gziped and then their contents treated as an array of long integers, and summed. To one is added the sum of the character values of the UNIQUE_ID generated by the server (which varies over a fairly narrow range) and the digits of the remote IP treated as a single integer. To the other is added the sum of the remote port and the current system time (a 10 digit integer).

The low order 9 bytes of the two sums are XOR-ed and that is the seed. The full sums were 16 or so digits and there were definitely patterns in the high order digits. After all a ps listing can only change so much from one fraction of a second to the next, even if every ps invocation, and the manipulations of the result change the next ps listing. If 999,999,999 is converted to binary it is 11 1011 1001 1010 1100 1001 1111 1111, which is how the number is dealt with for bitwise operations. With an XOR of two 30 digit fairly random binary numbers, it is theoretically possible for all digits to be ones, or alternatively all zeros. Thirty binary ones equal 1,073,741,823. Thus there are more that 73 million values over one billion.

At first glance when viewing the decimal seeds, one might think there are way to many numbers that begin with 1, but of the possible numbers, there are more than 73 times as many low one billion numbers, than all one through six digit numbers combined, and more than 7 times as many billion plus numbers as seven digit numbers. Of the ten digit decimal numbers created they will all begin with 10. There should be "roughly" equal numbers of billion plus numbers starting with 100 - 106, and about a third as many starting with 107. Also nearly 9 tenths of the total population will be 9 digit numbers.

In developing the seed logic I started with short runs of a 1000 then 10,000 outputs. I wrote a couple Perl scripts to analyze the distribution of values, of leading digit sequences, and digits at each digit positions. When the outputs started to look random at 10,000, I went to 100,000 then 1,000,000 number runs. I performed about a dozen million number runs. As the logic got more compels, these took about four days on my slow Linux desktop, and about half that on an identical OpenBSD system.

I'm not a mathematician, statistician, or cryptographer, but from what I understand, these seed values appear to be both random and unpredictable. Every machine should have somewhat different results since the starting point is a wide form (lots of information) process (ps) listing. To have even a chance of predicting what kind of numbers should be produced, you'd need to know the format details of ps for the machine and have a very good idea of what processes are running. You'd also need to be intimately familiar with the details of the gzip compression process.

But as with Heisenberg's uncertainty principle, any attempt to analyze what processes are running, requires running processes that look at processes and necessarily change the output of any ps listing, not just while they are running but because other processes got less CPU time while these analysis programs were running so any long lasting process stats are somewhat altered. It's impossible to conceive of any way of anticipating the outputs without changing the outputs. And if you don't have access to the web server and an opportunity to closely monitor its environment, how you could attempt to predict the output is beyond me.

The there are also the extras I added. The web server's UNIQUE_ID, is obviously an attempt at some randomness based on some combination of local machine and remote client information. For each server, some parts of this remain constant, and others vary with each web page served. The IP and remote port add something from the client that should be different for each client. The IP will for at least limited periods of time remain the same for each client but be different from nearly all others (except when multiple clients are coming form the same NAT or proxy environment). Port numbers will increment with each request from a Linux client and should be random from BSD clients. Time should be the same for everyone but relentlessly moves forward.

Anyhow, after quite a bit of work, I've come up with a method for generating high quality seeds. They occupy a much larger range, appear to be random, and are much less predictable than any suggested seed algorithm I've seen suggested. Before doing this, I did look Perl modules that were supposed to provide cryptographic quality random numbers, and could not install them because I lacked too much prerequisite software, or appeared to install them and they simply did not work.

To some extent, the seed is not terribly important with password.pl. Every different pattern, and many configuration changes generate completely different results. But if the same seed value is used with an identical pattern and configuration, the result is the same. This is to say, though Perl's pseudo random number generator generates a good approximation of random numbers, it always generates the same sequence from the same seed. CGI programs start new every time you access them, or click refresh, or change the parameters, so the amount of entropy in Perl's random number generator is limited by the range and quality of seed values. With almost infinite configuration possibilities, few people will ever see the same passwords from password.pl.

I think the importance of this can easily be over rated. Except the shortest simplest patterns when the minimum length password is created, or occasional fluke dictionary word is created, no paswords that come out password.pl lend themselves very well to todays cracking techniques (and you can/should always use Password Evaluator to check them). What difference does it make if two people in Washington, D.C., and New York see and choose the same password, or even two people in Falls Church, VA? The only way this could matter is if the same cracker, has access to machines that both users have used that password on, and that both or all of those machines are Windows machines.

The reason I single out Windows machines, is that all Unix variants use a "salt" that cause 2048, different password hashes to be generated from each plain text password. Further, different Unix variants use different hashing algorithms, and many provide for local selection and configuration of the hashing algorithm. The chance of two people with the same password, getting the same hash on the same or different Unix computers is very small, but is assured on Windows machines. All Windows machines, at least with the same OS version, produce the same passwords. Windows passwords should be several characters longer to compensate for this weakness.

If the very remote possibility that someone may see passwords that you've seen, concerns you, set the limit to 20 or 50 or even 100 passwords and you'll surely see passwords no one else has or will, even with the default pattern and configuration.

I'm both amused and annoyed and by Steve Gibson (grc.com) calling his passwords "Perfect," as if there could be such a thing as a perfect password. It's so naive on one hand, and grossly missinformative on the other. Everyone has different needs. Steve is confusing mathematical strength with perfection and forgeting useability. He makes the claim "and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again." No matter how large the universe of possibilities, even if it's 1 followed by 100 zeros, it's possible, though extremely unlikely, for the same value to repeat. And from what I understand, it's not possible to produce that amount kind of entropy on a computer. He has what is most likely a single function web server, and probably displays dozens or hundreds of these an hour, but when you genereate a GnuPG key, gpg has you moving your mouse randomly for maybe a minute to get the entropy it needs. Of course the GnuPG key is much longer. Still, I don't see how he can make these claims. The only guaranteed way I know to never have a number repeat is to use a progressive sequence like time, and that becomes very predictable, which is worse than a pseudo random number that occasionally repeats.

The alternative is to claim the the pseudo random generator does not depend on a seed and never repeats a sequence of numbers. That's very hard if not simply impossible to prove. Some very smart people have developed what were though to be very clever cryptographic algorithms which were subsequently shown to have gaping holes. I've liked some of what Steve Gibson has done in the past but I think he's entirely on the wrong track here. His "passwords" are not perfect, they aren't even useable.

The only way to use one, or even a significant part of one of Steve's passwords, is cut and paste. That means you have to trust it to electronic storage. Even if you used the best electronic password "safe," what do you protect that with. If you use a password like any of Steve's, you risk losing all your passwords because you can't remember your master password. And if you use a password you can be sure to remember, then the "safe"is at risk, unless you keep it on a second non networked computer with no connections to anything, but then you can't use cut and paste.

The last place I want any of my passwords stored, is on a networded hard drive, regardless of how good or how many firewalls I'm behind, or how good I hope my security is. This is the main reason I never use the browser features that "remember" a password for me. Even the possibility than my bank and credit card company passwords might be in my browser cache is scary. I think if they showed on the screen as asterisks, that's how they will appear in the cache, but I'm not sure.

I hope someone finds a use for the new changes, minor though they are. I while back I got started on a pass phrase generator but got side tracked. Recently Roger Grimes of InfoWorld made the point that a 10 character all lower case password has the same strength as an 8 character password, using characters from a 95 character set (actually it's about eleven and a half characters to match an 8 character password using all types of characters). This is a very important point that almost the entire computer world insists on missing, myself included, until I was shown the light. All current dictionary attacks depend on one word with sometimes many variations including added characters. If you avoid obvious combinations and already known passwords, an 11 character, lower case password won't fall to a dictionary attack, or to brute force either. If a 12 character all lower case password is mathematically stronger than an 8 character password with mixed case, digit(s), and one or more symbols, which is likely to be easier to remember and type? If the same mathematical strength can be achieved with one case all letter passwords, why the industry obsession with diverse character sets? I'm also thinking about a password generator that makes 10 character and longer combinations of 2 - 5 character words, with some random characters added.

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.