Security Basics mailing list archives

Re[2]: Suggested "safe" password length

From: Vishal <dhrakol () myrealbox com>
Date: Thu, 20 Nov 2003 22:24:21 -0500

Hi Anders

Thursday, November 20, 2003, 4:56:36 AM, you wrote:

one of the last places it should go is in their wallet. Why? Because your
wallet already gives away so much information about you.


ARM> But how will this affect the password security?
ARM> You might say that keeping the password in the wallet would be a risk,
ARM> because even if the password-note says nothing about _where_ that password
ARM> is used,

People often reuse passwords. Knowing a password works in one place is often a good
step towards knowing passwords that work in other places.

ARM> And if your wallet is stolen by someone who's actually after that
ARM> password, well, then he already knew who you were, where you work and
ARM> where that password fits,

Not necessarily. He could know that it fits *one of* several places. He might
try that password in a few of the places you have access to, hoping to get in
somewhere. This might have been his aim in the first place. It may also turn
out to be a useful stepping stone in getting to where he does need to go.

Even if you don't happen to have the password to the particular place he's
interested in written down, the extra information could help him make some
good guesses. Which, if he's in the movies, will work flawlessly at the third
try :)

ARM> Also, people will notice that their wallets are gone. Thus, they can
ARM> alert sysadms, and have them close their account/change the password.

This is a valid point.

ARM> Not if your job depends on it.

Everyone gets complacent, lazy or forgetful once in a while, no matter the
consequences. Or I might simply have my mind on something else.

Another good option is to maintain a PGP encrypted text file of passwords.
That way the user only needs to remember one PGP passphrase.


ARM> Why is this any different than "constantly having to rifle through [your
ARM> wallet] for a password list"?

Because you can memorize that one passphrase. There isn't the chance of
leaving it lying around like a wallet.


Cheers,

-- 
Vishal

 


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Suggested "safe" password length Ashish Sharma (Nov 13)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
  - RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 14)
  - RE: Suggested "safe" password length Enquiries (Nov 16)
  - Re: Suggested "safe" password length Robert & Marina Mantle (Nov 17)
    - Re: Suggested "safe" password length Anders Reed-Mohn (Nov 18)
    - Re: Suggested "safe" password length Peter Schawacker (Nov 18)
    - Re[2]: Suggested "safe" password length Vishal (Nov 20)
    - Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
    - Re[2]: Suggested "safe" password length Vishal (Nov 21)
  - Re: Suggested "safe" password length Hollis Johnson (Nov 17)
- Re: Suggested "safe" password length Alessandro (Nov 16)
- Re: Suggested "safe" password length Tomas Wolf (Nov 17)
  - Re: Suggested "safe" password length Steve (Nov 17)
- <Possible follow-ups>
- Re: Suggested "safe" password length Patrick M Darienzo Jr (Nov 16)
  - RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length JohnNicholson (Nov 16)
  - RE: Suggested "safe" password length Ben Cain (Nov 17)
  - RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Smith, KC (Nov 16)

(Thread continues...)