proper password handling

[Robert.Graham () bt infonet com]

The best solution I ever heard of was from the Security Guru himself, Bruce
Schneier:

Create passwords with a secret string that you commit to memory, in the middle.
Write down the password with everything but this special string. Then, from the
user side, it simulates two factor authentication (something you have[the paper]
and something you know [your secret string]). Even if the paper is lost or
compromised, the damage is minimal. Ideally, once the paper is compromised, the
password is changed, but the secret string may be re-used. Best would be to lock
up a safe copy so that should the carry copy be lost, that password can be reset
easily and quickly.

Today, with so many passwords, it's not possible to create strong ones that can
be remembered.




Robert J Graham | Security Engineer | Global Security Group | BT Infonet | Tel:
+1 310 335 4454  | E: robert.graham () bt infonet com | http://www.bt.infonet.com


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------