Re: Suggested "safe" password length

[No God <nogodhere () hotmail com>]

If you keep the number down on paper and in a place that can be taken, at
least use something to keep the dumb crooks out of it.  Please leading
numbers and trailing numbers after the PIN and make it look like a SSN or
something.  Make the numbers at least look lik they were written at the same
time and with the same ink (duh!).

For Windows passwords use some of the ALT characters which cracking tools
have a hard time with and remember where they are (between the two worded
password, at the end, etc) and then you can leave the password in cleartext
on your freaking bumper sticker and they will hopefully lock out the account
before you log on next.

Good luck....

It isn't like a token since more token authentication changes at a random
time period so if you have the token in hand it isn't going to necessarily
get you anything!
-- 

On 11/18/03 12:15, "Kenneth Buchanan" <K.Buchanan () Kastenchase com> wrote:

> :)  I was waiting for someone to mention this.
>
> Bruce Schneier advocates this approach:
> "My wallet is already a secure container; it has valuable things in it, and
> I have a lifetime of experience keeping it safe. Adding a piece of paper
> with my passwords seems like a natural thing to do."
> http://uk.biz.yahoo.com/030902/244/e7d3m.html
>
> It actually makes a lot of sense.  A cryptic 'hard to remember' password
> tends to be far more difficult to brute force, so why not just go with it,
> have people write it down, and instruct them to keep the paper safe?  It
> becomes a little like an authentication token.
>
> As someone else pointed out, once they've entered it a certain number of
> times they will remember it anyway, at which point they won't have to pull
> out their wallets every time they need to log in.
>
>
> -----Original Message-----
> From: Anders Reed-Mohn [mailto:anders_rm () utepils com]
> Sent: Tuesday, November 18, 2003 8:19 AM
> To: security-basics () securityfocus com
> Subject: Re: Suggested "safe" password length
>
>
>
> ----- Original Message -----
> From: "Robert & Marina Mantle" <rwmantle () rogers com>
> >     True, although best practices suggest a password of at least 8
> > characters, too long a password and users will have a tendency of writing
> > them down rather than attempt to commit them to memory.
>
>
> Well,  why not just let them write it down?
> Put it on a piece of paper, and let them keep it in their wallet (not under
> the
> keyboard, naturally).
>
> I mean..  banks trust this approach, why can't we?
>
> Cheers,
> Anders :)
>
>
> ---------------------------------------------------------------------------
> Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
> The Presidio integrates PGP data encryption and XML Web Services security to
>
> simplify the management and deployment of PGP and reduce overall PGP costs
> by up to 80%.
> FREE WHITEPAPER & 30 Day Trial -
> http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
> ----------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
> The Presidio integrates PGP data encryption and XML Web Services security to
> simplify the management and deployment of PGP and reduce overall PGP costs
> by up to 80%.
> FREE WHITEPAPER & 30 Day Trial -
> http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------