[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Stopping people finding out uptime?

On Mon, 15 Apr 2002, Ross Thomas wrote:
> "Jeff Schaller" <schaller@freeshell.org> wrote:
>> Security through layers of protection /is/ security
> I've never understood this "security through obscurity" argument. 

It's an argument against doing things that make you feel better without
actually achieving anything to improve your security.

> I think people only say it because it rhymes. 

Nope. I say it because I know quite a few people who are, or more often
were, convinced that it was an important part of a security system.

The attitude usually changed when their security failed because they
relied on some piece of obscurity or other and, of course, they got
attacked by the robot anyway and the security failed.

> Of *course* obscurity is a good thing: if your password isn't obscure
> then you need to pick another :)

That's not true entirely true. What you need is a password with a large
quantity of entropy, not an obscure password. The fact that an obscure
password is one way of getting that high entropy, in general, makes it
look like that. ;)

Seriously, though, the password "ovum" is rather obscure -- very few
people would use it, after all. It's really not very secure, though,
with something like five or six bits of entropy in it.

The phrase "the rain is Spain falls mainly on the plain" has something
like 90 bits of entropy, simply through it's length.[1] It's not all that
obscure, though, and if someone saw you type a couple of the words they
could probably guess the rest of it.

You get somewhere around 1.5 or 2 bits of entropy per character in
running English text -- it's pretty predictable, really. If you put
enough of it together, though, it builds up to a reasonable level.

A password such as "ilowturp", generated from the gpw package, seems to
average around 3 bits of entropy per password, but I didn't do serious
math there, just back of the napkin stuff.

...and that is the difference between obscure and secure. :)


[1]  Assuming that your password system uses all of the characters, not
     just the first eight, as is the default for most Unix systems.[2]

[2]  This includes Debian as shipped. :)

Intellectual brilliance is no guarantee against being dead wrong.
        -- David Fasold

To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: