Security Basics mailing list archives
proper password handling
From: Robert.Graham () bt infonet com
Date: Tue, 3 Oct 2006 12:57:30 -0700
The best solution I ever heard of was from the Security Guru himself, Bruce Schneier: Create passwords with a secret string that you commit to memory, in the middle. Write down the password with everything but this special string. Then, from the user side, it simulates two factor authentication (something you have[the paper] and something you know [your secret string]). Even if the paper is lost or compromised, the damage is minimal. Ideally, once the paper is compromised, the password is changed, but the secret string may be re-used. Best would be to lock up a safe copy so that should the carry copy be lost, that password can be reset easily and quickly. Today, with so many passwords, it's not possible to create strong ones that can be remembered. Robert J Graham | Security Engineer | Global Security Group | BT Infonet | Tel: +1 310 335 4454 | E: robert.graham () bt infonet com | http://www.bt.infonet.com --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- proper password handling Robert . Graham (Oct 03)
- Re: proper password handling Mario A. Spinthiras (Oct 04)
- RE: proper password handling Isaac Van Name (Oct 06)
- Re: proper password handling Zapotek (Oct 04)
- <Possible follow-ups>
- Re: proper password handling krymson (Oct 06)
- Re: proper password handling Gregory Rubin (Oct 10)
- Re: proper password handling Mario A. Spinthiras (Oct 10)
- Re: proper password handling Mario A. Spinthiras (Oct 04)