Re: Password Expatriation notification

[Eric Case <eric () ERICCASE COM>]

What do you think of searching for your passphrase with
https://encrypted.google.com?
-Eric 


Eric Case, CISSP
eric (at) ericcase (dot) com
http://www.linkedin.com/in/ericcase
(520) 344-CISO (2476)



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Charles
> Buchholtz
> Sent: Thursday, August 19, 2010 12:50 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password Expatriation notification
>
> On Thu, Aug 19, 2010 at 12:04:30PM -0700, Alex Keller wrote:
> > re: I've watched people who have trouble typing try to enter passwords
> > and pass-phrases. When every character takes 5 seconds to type, a 9
> > character password is much easier than a 16 character pass-phrase.
> >
> > however, it is often easier for people to type passphrases (even poor
> > typists) becuase the keystrokes are familiar. i am not a great typist
> > and i can type "Should we go back to the moon?" much faster than
> > "vf$1048Za".
>
> I agree - it is difficult to predict who will prefer pass-phrases and
> who will prefer passwords.
>
> For people going to pass-phrases, are you preventing people from
> picking common catch-phrases?  I'm not seeing brute force pass-phrase
> guessing attacks, but I'd prefer to learn from history and build in my
> defense now.
>
> I liked the idea of Googling the pass-phrase (in quotes) and counting
> the hits, but that would involve sending all of our passwords in clear
> over the internet from our password management machine's IP.  It's too
> bad - Google makes a really good password/passphrase vetter.
>
> --- Chip
>
> Charles H. Buchholtz                  Director of Systems Programming
> chip () seas upenn edu                  School of Engineering and Applied Science
> http://www.seas.upenn.edu/~chip                 University of Pennsylvania

Attachment: smime.p7s
Description: