Security Basics mailing list archives
Re: Suggested "safe" password length
From: No God <nogodhere () hotmail com>
Date: Wed, 19 Nov 2003 14:58:40 -0500
If you keep the number down on paper and in a place that can be taken, at least use something to keep the dumb crooks out of it. Please leading numbers and trailing numbers after the PIN and make it look like a SSN or something. Make the numbers at least look lik they were written at the same time and with the same ink (duh!). For Windows passwords use some of the ALT characters which cracking tools have a hard time with and remember where they are (between the two worded password, at the end, etc) and then you can leave the password in cleartext on your freaking bumper sticker and they will hopefully lock out the account before you log on next. Good luck.... It isn't like a token since more token authentication changes at a random time period so if you have the token in hand it isn't going to necessarily get you anything! -- On 11/18/03 12:15, "Kenneth Buchanan" <K.Buchanan () Kastenchase com> wrote:
:) I was waiting for someone to mention this. Bruce Schneier advocates this approach: "My wallet is already a secure container; it has valuable things in it, and I have a lifetime of experience keeping it safe. Adding a piece of paper with my passwords seems like a natural thing to do." http://uk.biz.yahoo.com/030902/244/e7d3m.html It actually makes a lot of sense. A cryptic 'hard to remember' password tends to be far more difficult to brute force, so why not just go with it, have people write it down, and instruct them to keep the paper safe? It becomes a little like an authentication token. As someone else pointed out, once they've entered it a certain number of times they will remember it anyway, at which point they won't have to pull out their wallets every time they need to log in. -----Original Message----- From: Anders Reed-Mohn [mailto:anders_rm () utepils com] Sent: Tuesday, November 18, 2003 8:19 AM To: security-basics () securityfocus com Subject: Re: Suggested "safe" password length ----- Original Message ----- From: "Robert & Marina Mantle" <rwmantle () rogers com>True, although best practices suggest a password of at least 8 characters, too long a password and users will have a tendency of writing them down rather than attempt to commit them to memory.Well, why not just let them write it down? Put it on a piece of paper, and let them keep it in their wallet (not under the keyboard, naturally). I mean.. banks trust this approach, why can't we? Cheers, Anders :) --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Suggested "safe" password length, (continued)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Smith, KC (Nov 16)
- Re: Suggested "safe" password length Simon Gray (Nov 17)
- RE: Suggested "safe" password length Chris Berry (Nov 17)
- Re: Suggested "safe" password length Rodrigo Otaviano (Nov 17)
- RE: Suggested "safe" password length Inlow, Richard N (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- Re[2]: Suggested "safe" password length Vishal (Nov 17)
- RE: Suggested "safe" password length Kenneth Buchanan (Nov 18)
- Re: Suggested "safe" password length No God (Nov 20)
- RE: Suggested "safe" password length Chris Berry (Nov 20)
- Re: Re[2]: Suggested "safe" password length Chris Berry (Nov 21)
- Re[4]: Suggested "safe" password length Vishal (Nov 23)