My recent forays into the world of Linux LiveCDs has sensitized me to
password Voodoo.
I noticed that some distros actually assess the adequacy of the
password entered on the fly, by means of a "progress bar". Ironically,
some of these then report, "your password exceeds eight characters,
which may create problems... [or words to that effect]", and then
offer to "truncate" the freshly assessed password.
I haven't accepted this offer yet, so I don't know if this results in
a re-assessment, but the whole procedure fills me with nagging doubt
as to the effectiveness of this tool and the seriousness of its
author(s)
Puppy Linux, most recently tested, gives no assessment, but cautions
the user that the password MUST be between five and eight characters
long, and then proceeds to accept an entry much longer without
comment.
Is it simply truncating that entry without announcing the fact (must
test this next time I boot Puppy!)? Again, confidence in the system
takes a big hit.
So that is problem one. Clearly, if you take passwords seriously, you
want a more reliable, better documented tool to assess your passwords
on the PC or online.
But there's an even more difficult challenge for those of us who keep
all of our important passwords on an external storage device, for
example - a vault with a combination lock, a digital watch with
password protected memory, or a PDA without interactive input/output.
Clearly, such devices have much lower password requirements, since
there is no way to do an automated attack. With numbers and/or letters
having to be entered manually, and 10,000(?) possible combinations of
numbers for a 4-digit code, a trial and error attack is nothing much
to worry about.
However, I recently had a shock when the battery ran low on my gun
vault's electronic lock. It has a provision to attach an external
battery, but this function was not properly documented, and I used
this method successively for several entries until it too, failed.
Happily I was able to contact the distributor (just weeks before they
trashed all their remaining documentation on this discontinued
product), and only then learned that the external battery only boosted
the internal one, and when such boosting was no longer adequate, the
only way in was with cutting tools.
I was lucky in that, after a few days' rest, the internal battery
recovered enough to get in one more time and change the battery. But
this seriously shook my faith in the vault and its retailer.
But just incidentally, I learned something that disturbed me a lot
more - the electronic lock has a back door code, never hinted at, much
less revealed, to the buyer. This code is an emergency device designed
to work only ONCE, but this belated news makes me wonder whether I've
been told the whole truth now, or whether there's yet another backdoor
code available to governments and their many associates?
The same concern now nags at me concerning possible back doors to PDAs
and databank watches. Is there any way to find this out conclusively
about a given device?
And then, finally, once one has a device assured to have no back
doors, how can one objectively test the adequacy of a password, given
the input configuration? For example, I've recently noticed the
appearance, in Staples and Office Depot stores in my region, of
relatively inexpensive FireSenty office safes advertised as providing
fire protection for optical media. But closer examination shows that
these safes accept only a three digit combination. How adequate is
that?
--
Achim
_____/)
axethetax
