Security Basics mailing list archives
RE: Article / Document about passwords vs. passphrases
From: "Ken Kousky" <kkousky () ip3inc com>
Date: Tue, 31 Oct 2006 15:17:11 -0500
Folks - this still seems to miss the real crisis. Until we admit that enforcing strong passwords is itself part of the problem, we'll continue to miss the mark. Passwords are something you know so if you implement any kind of policy that makes it hard to know your password, YOU are breaking the security model - not the user. We have 30 to 50 passwords per user; at work, at home, for play, for trade. To be strong, they must each be different or we're subject to the weakest link problem. To be strong, they all have to change frequently. The sole purpose of a password for authentication is to capture something the user KNOWS. These discussions all involve creating rules that a user won't know if they have 30+ passwords that we keep changing. The answer still must be multi-factor authentication> Write down the complex part and save it as a token or take a token value from a device and append a pin or simple KNOWN password. You can write down 20 characters and save them on your desktop and them simply append a simple KNOWN password. But again, the part the client KNOWS is the password and we can't go on creating algorithms we call strong passwords that make it impossible for the user to know their passwords. Again - passwords are something a user knows. If you have an algorithm that produces passwords your users don't know, it's your system that's broken - even if we hide that system in the language of strong passwords or passphrases. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kurt Buff Sent: Tuesday, October 31, 2006 1:36 PM To: Florian Rommel Cc: Pen-Testing; security-basics Subject: Re: Article / Document about passwords vs. passphrases On 10/30/06, Florian Rommel <frommel () gmail com> wrote: <snip>
I was told that Windows vista will not let you use (SPACE) in your password , can someone confirm or deny this?
This seems quite absurd. I've been using spaces in my passwords for years on Windows, up to and including Win2k3 - for MSFT to degrade password functionality in this away would be madness far surpassing their norm.
also someone said that only the most recent version of linux allow you to have long passwords, according to my memory, this has worked already for a looong time (i remember i used a long password quite a few years back already) so any info on that would be good too. Any pointer as to how to improve this article would be excellent since quite a few of the people I know use my stuff as reference and I wouldnt like to be "that" wrong :)
Can't speak to Linux, but my FreeBSD installations have, for the 5+ years I've been using them, have allowed me passwords as long as I wanted - certainly longer than 8 characters. Kurt --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Article / Document about passwords vs. passphrases Florian Rommel (Nov 01)
- <Possible follow-ups>
- RE: Article / Document about passwords vs. passphrases Ken Kousky (Nov 01)
- Re: Article / Document about passwords vs. passphrases Kenton Smith (Nov 01)
- Norwich MSIA Patrick Wade (Nov 01)
- Re: Norwich MSIA Jan Heisterkamp (Nov 03)
- RE: Norwich MSIA Mani Akella (Nov 06)
- Norwich MSIA Patrick Wade (Nov 01)
- RE: Article / Document about passwords vs. passphrases Roger A. Grimes (Nov 03)