Re: "Proactive" Password Checking

[Joseph S D Yao <jsdy () cospo osis gov>]

> Just read this password checking thread and a lot of you seem to say, some things which seem a bit strange to me.
>   
> A complex password does not have to be something like "$5dsdDe%AzW3q"  this is hard to crack and hard to remember.  
> (users forgetting or writing it down) 
>
> Now consider the password "maryhadalittlelamb"  hard to crack, easy to remember, not a problem for dictionary 
> crackers.   Just tell users to put a few words _together_ for security, like their favorite song lyric or something.  
>
> I felt obligated to tell you all this, because it felt like no person in the thread was aware or voiced this.
>
> > > > "Kurt Buff" <kurtbuff () lightmail com> 11/05/99 07:35PM >>>

If it is known that this is your password technique, I am sure a lot of
passwords will be easily cracked in short order.  >;->  There are a
finite number of truly popular songs.  Just listen to what a target hums
or listens to, to narrow the search even further.

Some systems have a fixed, short password size, and can't change it,
since there is a lot of code that assumes that standard password setup.
It may even be embedded in IEEE and FIPS standards.  ;-)  In those
cases, it is a good idea to have pronounceable but "strange" passwords,
with embedded punctuation characters and digits, and mixed case
[assuming the system is intelligent enough to understand the difference
between cases].  One site I know of got multiple language dictionaries
and chooses words at random from all of them, inserting punctuation at
odd places.  The trick there is to find the words that aren't offensive
in any other language ... a yet unsolved problem.  ;-)

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.