Security Basics mailing list archives
Re[2]: Suggested "safe" password length
From: Vishal <dhrakol () myrealbox com>
Date: Thu, 20 Nov 2003 22:24:21 -0500
Hi Anders Thursday, November 20, 2003, 4:56:36 AM, you wrote:
one of the last places it should go is in their wallet. Why? Because your wallet already gives away so much information about you.
ARM> But how will this affect the password security? ARM> You might say that keeping the password in the wallet would be a risk, ARM> because even if the password-note says nothing about _where_ that password ARM> is used, People often reuse passwords. Knowing a password works in one place is often a good step towards knowing passwords that work in other places. ARM> And if your wallet is stolen by someone who's actually after that ARM> password, well, then he already knew who you were, where you work and ARM> where that password fits, Not necessarily. He could know that it fits *one of* several places. He might try that password in a few of the places you have access to, hoping to get in somewhere. This might have been his aim in the first place. It may also turn out to be a useful stepping stone in getting to where he does need to go. Even if you don't happen to have the password to the particular place he's interested in written down, the extra information could help him make some good guesses. Which, if he's in the movies, will work flawlessly at the third try :) ARM> Also, people will notice that their wallets are gone. Thus, they can ARM> alert sysadms, and have them close their account/change the password. This is a valid point. ARM> Not if your job depends on it. Everyone gets complacent, lazy or forgetful once in a while, no matter the consequences. Or I might simply have my mind on something else.
Another good option is to maintain a PGP encrypted text file of passwords. That way the user only needs to remember one PGP passphrase.
ARM> Why is this any different than "constantly having to rifle through [your ARM> wallet] for a password list"? Because you can memorize that one passphrase. There isn't the chance of leaving it lying around like a wallet. Cheers, -- Vishal --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Suggested "safe" password length Ashish Sharma (Nov 13)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 14)
- RE: Suggested "safe" password length Enquiries (Nov 16)
- Re: Suggested "safe" password length Robert & Marina Mantle (Nov 17)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 18)
- Re: Suggested "safe" password length Peter Schawacker (Nov 18)
- Re[2]: Suggested "safe" password length Vishal (Nov 20)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
- Re[2]: Suggested "safe" password length Vishal (Nov 21)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
- Re: Suggested "safe" password length Steve (Nov 17)
- <Possible follow-ups>
- Re: Suggested "safe" password length Patrick M Darienzo Jr (Nov 16)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length JohnNicholson (Nov 16)
- RE: Suggested "safe" password length Ben Cain (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Smith, KC (Nov 16)