Security Basics mailing list archives
Re: Suggested "safe" password length
From: "Peter Schawacker" <peter () schawacker com>
Date: Tue, 18 Nov 2003 09:04:19 -0800
Actually, banks generally admonish customers specifically not to keep their PINs with their cards (which usually reside in customers' wallets). If someone has to write down a password one of the last places it should go is in their wallet. Why? Because your wallet already gives away so much information about you. Why add more to it? Even your keyboard doesn't have your drivers license and credit card numbers attached. And don't assume that your wallet is secure just because you sit on it most of the time. Have you ever lost a wallet? It's easy to leave a wallet on a desk if you're constantly having to rifle through it for a password list. And remember, where to women that carry purses usually leave their wallets? And where are those purses most of the time? Naturally, the purse lives under the desk, under the keyboard. So, in quite a few cases, the password in the wallet is nearly as convenient as the password under the keyboard. Assuming the password is meant for business purposes your best bet may be allowing employees to seal them in envelopes and store them in a safe. Another good option is to maintain a PGP encrypted text file of passwords. That way the user only needs to remember one PGP passphrase. The ultra paranoid can split each password between two envelopes and place them in two safes operated by different managers -- preferably competing managers or ones that work in different disciplines. Of course by far the best answer in the long run is to use something other than passwords for authentication. Peter ----- Original Message ----- From: "Anders Reed-Mohn" <anders_rm () utepils com> To: <security-basics () securityfocus com> Sent: Tuesday, November 18, 2003 5:18 AM Subject: Re: Suggested "safe" password length
----- Original Message ----- From: "Robert & Marina Mantle" <rwmantle () rogers com>True, although best practices suggest a password of at least 8 characters, too long a password and users will have a tendency of
writing
them down rather than attempt to commit them to memory.Well, why not just let them write it down? Put it on a piece of paper, and let them keep it in their wallet (not
under
the keyboard, naturally). I mean.. banks trust this approach, why can't we? Cheers, Anders :) --------------------------------------------------------------------------
-
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security
to
simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Suggested "safe" password length Ashish Sharma (Nov 13)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 14)
- RE: Suggested "safe" password length Enquiries (Nov 16)
- Re: Suggested "safe" password length Robert & Marina Mantle (Nov 17)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 18)
- Re: Suggested "safe" password length Peter Schawacker (Nov 18)
- Re[2]: Suggested "safe" password length Vishal (Nov 20)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
- Re[2]: Suggested "safe" password length Vishal (Nov 21)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
- Re: Suggested "safe" password length Steve (Nov 17)
- <Possible follow-ups>
- Re: Suggested "safe" password length Patrick M Darienzo Jr (Nov 16)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length JohnNicholson (Nov 16)