Security Basics mailing list archives
Re: Suggested "safe" password length
From: "Anders Reed-Mohn" <anders_rm () utepils com>
Date: Thu, 20 Nov 2003 10:56:36 +0100
Actually, banks generally admonish customers specifically not to keep
their
PINs with their cards (which usually reside in customers' wallets).
True, but several banks have Internet-banking services that authenticate the user based on a PIN, and a card with a certain amount of codes on it. (Dunno what these cards are called in english.) Once you've used all the codes, you get a new card from the bank with new. Sort of a one-time pad thingy... Loose the card, and you've only lost a few possible codes. As well, the number of codes on the card is high enough to make the job of guessing the right one difficult enough (high number of failed attempts will alert the bank).
one of the last places it should go is in their wallet. Why? Because your wallet already gives away so much information about you.
But how will this affect the password security? You might say that keeping the password in the wallet would be a risk, because even if the password-note says nothing about _where_ that password is used, your wallet might contain information such as your business card, which again tells someone where you work, and let's the have a guess at where that password fits. However, that is a very theoretical risk, and not one I would consider in reality. Why? Well, the random pick-pocket is not looking for passwords, and probably doesn't care if he finds one, even if he does understand what it is. So, he's not going to be much of a threat. And if your wallet is stolen by someone who's actually after that password, well, then he already knew who you were, where you work and where that password fits, so the extra info in the wallet has no extra value for him. Keeping the password on your person raises the bar for the thief, and that's the effect we're after, (besides enabling a user to have stronger passwords). Also, people will notice that their wallets are gone. Thus, they can alert sysadms, and have them close their account/change the password.
It's easy to leave a wallet on a desk if you're constantly having to rifle through it for a password list.
Not if your job depends on it. Besides, many companies do not auto-lock idle workstations, and users sure don't care to do it themselves. So, if you leave your office, I don't need your password to get into you computer.
suming the password is meant for business purposes your best bet may be allowing employees to seal them in envelopes and store them in a safe.
and have to make a new envelope per person, per day? Naah.. don't think so.
Another good option is to maintain a PGP encrypted text file of passwords. That way the user only needs to remember one PGP passphrase.
Why is this any different than "constantly having to rifle through [your wallet] for a password list"?
Of course by far the best answer in the long run is to use something other than passwords for authentication.
Couldn't agree more. Though since biometrics still suck, I don't know what the alternative is. Cheers, Anders :) --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Suggested "safe" password length Ashish Sharma (Nov 13)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 14)
- RE: Suggested "safe" password length Enquiries (Nov 16)
- Re: Suggested "safe" password length Robert & Marina Mantle (Nov 17)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 18)
- Re: Suggested "safe" password length Peter Schawacker (Nov 18)
- Re[2]: Suggested "safe" password length Vishal (Nov 20)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
- Re[2]: Suggested "safe" password length Vishal (Nov 21)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
- Re: Suggested "safe" password length Steve (Nov 17)
- <Possible follow-ups>
- Re: Suggested "safe" password length Patrick M Darienzo Jr (Nov 16)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length JohnNicholson (Nov 16)
- RE: Suggested "safe" password length Ben Cain (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)