Re: guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

[Anders B Jansson <hdw () kallisti se>]

coderman wrote:

> Creating a secure password:
>
>     o Include punctuation marks and numbers.
>     o Mix capital, lowercase and space characters.
>     o Create a unique acronym.
>     o Short passwords should be 8 chars at least.
>
> Weaknesses to avoid:
>     o Don't use a password that is listed as an example or public.
>     o Don't use a password you have been using for years.
>     o Don't use a password someone else has seen you type.
>     o Don't use a password that contains personal information.
>     o Don't use words or acronyms that can be found in a dictionary.
>     o Don't use keyboard patterns (qwerty) or sequential numbers.
>     o Don't use repeating characters (aa11).
Remove the last one.
As long as the others are met this one will not add to strength, it will actually reduce it.

> Keep your password secure:
>     o Never tell your password to anyone or use it where they can observe it.
>     o Never send your password by email or speak it where others may hear.
>     o Occasionally verify your current password and change it to a new one.
>     o Avoid writing your password down.  (Keep it with you in a purse
> or wallet if you have to write down the password until you remember
> it.)
And never label that scrap of paper in any way.
Write it down on an old businesscard or something.
Don't give anyone who finds (or gains access to) your purse/wallet any clue of what
"d0gg13styl3" means or is related to.

<esoteric rant>
> High assurance passwords / exotic threat model interactive auth: use
> challenge response for single use Key Encryption Keys containing a
> minimum of 128 bits of entropy in a full SHA-512 derived key.  exotic
> threat model implies full process for physical, emission,
> cryptographic and user interface security.  (i.e. expert level
> security infrastructure and flawless identity management).
128 bit entropy in a password requires a long randomized passphrase.
Avoiding accented chars (which is good unless you want to be locked out)
You'll end up with just under 6 1/2 bits per char.
And a password/passphrase meeting all requirements above and being at least
20 chars long isn't very usable.
 
> ideally this would be coupled with a personal vascular scan biometric
> device (user centric with vascular auth challenge to open/sign
> hardened internal secrets)
Biometrics fail as been shown several times before.
Biometrics require that there's no way of obtaining that information from the user,
or that there's no way to enter this data without the actual user being present.

And even then they fail the actual user has a gun at his temple.

</esoteric rant>
--
// hdw

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/