Full Disclosure mailing list archives
guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)
From: coderman <coderman () gmail com>
Date: Sun, 26 Mar 2006 09:46:17 -0800
comments?
Creating a secure password:
o Include punctuation marks and numbers.
o Mix capital, lowercase and space characters.
o Create a unique acronym.
o Short passwords should be 8 chars at least.
Weaknesses to avoid:
o Don't use a password that is listed as an example or public.
o Don't use a password you have been using for years.
o Don't use a password someone else has seen you type.
o Don't use a password that contains personal information.
o Don't use words or acronyms that can be found in a dictionary.
o Don't use keyboard patterns (qwerty) or sequential numbers.
o Don't use repeating characters (aa11).
Keep your password secure:
o Never tell your password to anyone or use it where they can observe it.
o Never send your password by email or speak it where others may hear.
o Occasionally verify your current password and change it to a new one.
o Avoid writing your password down. (Keep it with you in a purse
or wallet if you have to write down the password until you remember
it.)
---
High assurance passwords / exotic threat model interactive auth: use
challenge response for single use Key Encryption Keys containing a
minimum of 128 bits of entropy in a full SHA-512 derived key. exotic
threat model implies full process for physical, emission,
cryptographic and user interface security. (i.e. expert level
security infrastructure and flawless identity management).
ideally this would be coupled with a personal vascular scan biometric
device (user centric with vascular auth challenge to open/sign
hardened internal secrets)
the odds of such a device being designed, produced and verified in an
open and full disclosure manner is not high. :P
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) coderman (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Anders B Jansson (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) James Longstreet (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Anders B Jansson (Mar 26)
- Re: guidelines for good password policyand maintenance / user centric identity with single passwords(or a small number at most over time) <...> (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Gareth Davies (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Valdis . Kletnieks (Mar 26)
- Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time) Dave Korn (Mar 28)
- Re: Re: guidelines for good password policy andmaintenance / user centric identity with single passwords (or asmall number at most over time) Michael Holstein (Mar 28)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) James Longstreet (Mar 26)
- Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time) Anders B Jansson (Mar 26)