From; Panda Oxygen3: "A weak man has doubts before a decision, a strong man has them afterwards." Karl Kraus (1874-1936), Austrian author and journalist - Password length, key to security - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, June 7, 2005 - The passwords used to validate users in different systems must be set with great care, as if the password is not well-constructed (what is normally referred to as a weak password) it can be easily guessed. One of the key considerations when defining a password is the length. The longer the password, the more difficult it will be for an attacker to guess it. Therefore, an alphanumeric password that were only three characters long would be very easy to guess, as an attack would only need to look for a very limited number of combinations, around 50,000 different combinations. However, to guess a password that is eight characters long and includes both letters and numbers, an attacker would have to try billions and billions of different combinations, which would most probably cause the attacker to give up. In spite of this, incredibly weak passwords are still being used every day in critical validation systems. For example, PINs (Personal Identification Numbers) used to access automatic telling machines are usually restricted to 4 numbers, limiting the number of unique PINS to 10,000. The same happens in cell phone systems, which are usually secured with short PINS, also four digits long. This problem is demonstrated by the case of Bluetooth devices. According to Yaniv Shaked, of the School of Electronic Engineering at Tel Aviv University, an attacker could interfere with the connection between two Bluetooth devices and guess a four digit PIN in just between 3 tenths of a second and 6 hundredths of a second. This study, which will be presented at MobiSys in Seattle which will be held from June 6 to 8, shows the high risk of Bluetooth devices due to their lack of security, including badly constructed passwords. This study is available at: http://www.usenix.org/events/mobisys05/tech/shaked.html. NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. ------------------------------------------------------------ The 5 viruses most frequently detected by Panda ActiveScan, Panda Software's free online scanner: 1)Qhost.gen; 2)Netsky.P; 3)Mhtredir.gen; 4)Sdbot.ftp; 5)Shinwow.E. ------------------------------------------------------------ To contact with Panda Software, please visit: http://www.pandasoftware.com/about/contact/ ------------------------------------------------------------ *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member