Security Basics mailing list archives

RE: Suggested "safe" password length

From: Kenneth Buchanan <K.Buchanan () Kastenchase com>
Date: Tue, 18 Nov 2003 12:15:21 -0500


:)  I was waiting for someone to mention this.

Bruce Schneier advocates this approach:
"My wallet is already a secure container; it has valuable things in it, and
I have a lifetime of experience keeping it safe. Adding a piece of paper
with my passwords seems like a natural thing to do."
http://uk.biz.yahoo.com/030902/244/e7d3m.html

It actually makes a lot of sense.  A cryptic 'hard to remember' password
tends to be far more difficult to brute force, so why not just go with it,
have people write it down, and instruct them to keep the paper safe?  It
becomes a little like an authentication token.

As someone else pointed out, once they've entered it a certain number of
times they will remember it anyway, at which point they won't have to pull
out their wallets every time they need to log in.


-----Original Message-----
From: Anders Reed-Mohn [mailto:anders_rm () utepils com]
Sent: Tuesday, November 18, 2003 8:19 AM
To: security-basics () securityfocus com
Subject: Re: Suggested "safe" password length



----- Original Message ----- 
From: "Robert & Marina Mantle" <rwmantle () rogers com>

    True, although best practices suggest a password of at least 8
characters, too long a password and users will have a tendency of writing
them down rather than attempt to commit them to memory.



Well,  why not just let them write it down?
Put it on a piece of paper, and let them keep it in their wallet (not under
the
keyboard, naturally).

I mean..  banks trust this approach, why can't we?

Cheers,
Anders :)


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to

simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------

Current thread:

RE: Suggested "safe" password length, (continued)
- - RE: Suggested "safe" password length Ben Cain (Nov 17)
  - RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Smith, KC (Nov 16)
  - Re: Suggested "safe" password length Simon Gray (Nov 17)
- RE: Suggested "safe" password length Chris Berry (Nov 17)
- Re: Suggested "safe" password length Rodrigo Otaviano (Nov 17)
- RE: Suggested "safe" password length Inlow, Richard N (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- Re[2]: Suggested "safe" password length Vishal (Nov 17)
- RE: Suggested "safe" password length Kenneth Buchanan (Nov 18)
  - Re: Suggested "safe" password length No God (Nov 20)
- RE: Suggested "safe" password length Chris Berry (Nov 20)
- Re: Re[2]: Suggested "safe" password length Chris Berry (Nov 21)
  - Re[4]: Suggested "safe" password length Vishal (Nov 23)