Date: Mon, 15 Jan 2001 12:30:18 -0600 (CST) From: David Talkington <dtalk@prairienet.org> Cc: <security@FreeBSD.ORG> Subject: Re: opinions on password policies Message-ID: <Pine.LNX.4.30.0101151212030.19013-100000@sherman.spotnet.org> In-Reply-To: <20010114035821.A79825@grok.bc.hsia.telus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Steve Reid wrote: >On Sat, Jan 13, 2001 at 05:35:51PM -0600, Frank Tobin wrote: >> If forced to remember another password, most users (including myself) >> will often re-use a password they use at another place. > >If you let a user pick a password, nine times out of ten they will pick >a word or name, and if you're lucky they might append a single digit or >"123". >Of course, nobody wants to go to the trouble of memorizing a random >eight-character alphanumeric string. So, users are instructed to write >down the password on a small slip of paper. One interesting technique is the one I picked up from Martin Wolske, and it addressess all the above issues. Pick a very long phrase or sentence, unrelated to you personally, and with lots of punctuation, but that you won't forget. Now choose 8 or 10 characters from it at random, and write down their positions (say, the first, fourth, 14th, 20th, 19th, 31st, 10th, 8th, 39th). Now, as long as the original phrase is sufficiently long and unguessable: 1) it can be a common phrase in your native language; 2) you can reuse it safely for much longer than a single password; 3) you can write the keys down anywhere you like -- 1,4,14,20,19,31,10,8,39 means nothing to anyone but you; 4) you can pick a different one for each system, and post it right on your monitor. An intruder would probably have to brute-force your password on several systems before he or she could piece together the original phrase (like Wheel Of Fortune =), by which time the wise administrator has already moved on to a different phrase. Of course, the convenience of this scheme depends on your ability to quickly count character positions in your head ... - -d - -- David Talkington Prairienet dtalk@prairienet.org 217-244-1962 PGP key: http://www.prairienet.org/~dtalk/dt000823.asc -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Made with pgp4pine 1.75-6 iQEVAwUBOmNBvr1ZYOtSwT+tAQFwSwf+JTdkprhPHDm561umxzgZ7HBXbc7Ibs3N wcyXL0Y00ZsXylczMCDJcFqvL2Vmk9WWui4qw4r5mj3irsAcdjYCxK4qukR46yxB rvun/hKcyhp+W30VjQaE+SDzm5pxxMMIbtfzv8IAdlbusaEpRHSWK6289UPYr5IL SPlmT50+n/lnIIC0sH3m4eauwYWPTAgzSbO/4UE60LcZAb5aMnqWFYM6dGrTfkLk dF7X0DWjfrpzAi9vcfvFrzHxI+qKiCOFAxzUySnn2UnmF2Q8w+J3QpR4ZxZNqyNa YqF/a65W2jl2GMbNKlK1J+uy0DAxWBciSM/JjnFbyDRCuucyoI9Ckw== =p81s -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0101151212030.19013-100000>