Date: Mon, 15 Jan 2001 11:41:50 -0800 (PST) From: Brian <bri@cx175057-a.ocnsd1.sdca.home.com> To: David Talkington <dtalk@prairienet.org> Cc: security@FreeBSD.ORG Subject: Re: opinions on password policies Message-ID: <Pine.BSF.4.21.0101151141150.1704-100000@cx175057-a.ocnsd1.sdca.home.com> In-Reply-To: <Pine.LNX.4.30.0101151212030.19013-100000@sherman.spotnet.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Don't you need to do special stuff on some unix flavors to allow more than 8 characters?? Bri On Mon, 15 Jan 2001, David Talkington wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Steve Reid wrote: > >On Sat, Jan 13, 2001 at 05:35:51PM -0600, Frank Tobin wrote: > >> If forced to remember another password, most users (including myself) > >> will often re-use a password they use at another place. > > > >If you let a user pick a password, nine times out of ten they will pick > >a word or name, and if you're lucky they might append a single digit or > >"123". > >Of course, nobody wants to go to the trouble of memorizing a random > >eight-character alphanumeric string. So, users are instructed to write > >down the password on a small slip of paper. > > One interesting technique is the one I picked up from Martin Wolske, > and it addressess all the above issues. Pick a very long phrase or > sentence, unrelated to you personally, and with lots of punctuation, > but that you won't forget. Now choose 8 or 10 characters from it at > random, and write down their positions (say, the first, fourth, 14th, > 20th, 19th, 31st, 10th, 8th, 39th). > > Now, as long as the original phrase is sufficiently long and > unguessable: 1) it can be a common phrase in your native language; 2) > you can reuse it safely for much longer than a single password; 3) you > can write the keys down anywhere you like -- 1,4,14,20,19,31,10,8,39 > means nothing to anyone but you; 4) you can pick a different one for > each system, and post it right on your monitor. > > An intruder would probably have to brute-force your password on > several systems before he or she could piece together the original > phrase (like Wheel Of Fortune =), by which time the wise administrator > has already moved on to a different phrase. > > Of course, the convenience of this scheme depends on your ability to > quickly count character positions in your head ... > > - -d > > - -- > David Talkington > Prairienet > dtalk@prairienet.org > 217-244-1962 > > PGP key: http://www.prairienet.org/~dtalk/dt000823.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Made with pgp4pine 1.75-6 > > iQEVAwUBOmNBvr1ZYOtSwT+tAQFwSwf+JTdkprhPHDm561umxzgZ7HBXbc7Ibs3N > wcyXL0Y00ZsXylczMCDJcFqvL2Vmk9WWui4qw4r5mj3irsAcdjYCxK4qukR46yxB > rvun/hKcyhp+W30VjQaE+SDzm5pxxMMIbtfzv8IAdlbusaEpRHSWK6289UPYr5IL > SPlmT50+n/lnIIC0sH3m4eauwYWPTAgzSbO/4UE60LcZAb5aMnqWFYM6dGrTfkLk > dF7X0DWjfrpzAi9vcfvFrzHxI+qKiCOFAxzUySnn2UnmF2Q8w+J3QpR4ZxZNqyNa > YqF/a65W2jl2GMbNKlK1J+uy0DAxWBciSM/JjnFbyDRCuucyoI9Ckw== > =p81s > -----END PGP SIGNATURE----- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0101151141150.1704-100000>