From owner-freebsd-security Mon Jan 15 11:43:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40]) by hub.freebsd.org (Postfix) with ESMTP id 389DE37B402 for ; Mon, 15 Jan 2001 11:43:32 -0800 (PST) Received: from localhost (bri@localhost) by cx175057-a.ocnsd1.sdca.home.com (8.11.1/8.11.1) with ESMTP id f0FJhYb01739; Mon, 15 Jan 2001 11:43:34 -0800 (PST) (envelope-from bri@cx175057-a.ocnsd1.sdca.home.com) Date: Mon, 15 Jan 2001 11:41:50 -0800 (PST) From: Brian To: David Talkington Cc: security@FreeBSD.ORG Subject: Re: opinions on password policies In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don't you need to do special stuff on some unix flavors to allow more than 8 characters?? Bri On Mon, 15 Jan 2001, David Talkington wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Steve Reid wrote: > >On Sat, Jan 13, 2001 at 05:35:51PM -0600, Frank Tobin wrote: > >> If forced to remember another password, most users (including myself) > >> will often re-use a password they use at another place. > > > >If you let a user pick a password, nine times out of ten they will pick > >a word or name, and if you're lucky they might append a single digit or > >"123". > >Of course, nobody wants to go to the trouble of memorizing a random > >eight-character alphanumeric string. So, users are instructed to write > >down the password on a small slip of paper. > > One interesting technique is the one I picked up from Martin Wolske, > and it addressess all the above issues. Pick a very long phrase or > sentence, unrelated to you personally, and with lots of punctuation, > but that you won't forget. Now choose 8 or 10 characters from it at > random, and write down their positions (say, the first, fourth, 14th, > 20th, 19th, 31st, 10th, 8th, 39th). > > Now, as long as the original phrase is sufficiently long and > unguessable: 1) it can be a common phrase in your native language; 2) > you can reuse it safely for much longer than a single password; 3) you > can write the keys down anywhere you like -- 1,4,14,20,19,31,10,8,39 > means nothing to anyone but you; 4) you can pick a different one for > each system, and post it right on your monitor. > > An intruder would probably have to brute-force your password on > several systems before he or she could piece together the original > phrase (like Wheel Of Fortune =), by which time the wise administrator > has already moved on to a different phrase. > > Of course, the convenience of this scheme depends on your ability to > quickly count character positions in your head ... > > - -d > > - -- > David Talkington > Prairienet > dtalk@prairienet.org > 217-244-1962 > > PGP key: http://www.prairienet.org/~dtalk/dt000823.asc > > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Made with pgp4pine 1.75-6 > > iQEVAwUBOmNBvr1ZYOtSwT+tAQFwSwf+JTdkprhPHDm561umxzgZ7HBXbc7Ibs3N > wcyXL0Y00ZsXylczMCDJcFqvL2Vmk9WWui4qw4r5mj3irsAcdjYCxK4qukR46yxB > rvun/hKcyhp+W30VjQaE+SDzm5pxxMMIbtfzv8IAdlbusaEpRHSWK6289UPYr5IL > SPlmT50+n/lnIIC0sH3m4eauwYWPTAgzSbO/4UE60LcZAb5aMnqWFYM6dGrTfkLk > dF7X0DWjfrpzAi9vcfvFrzHxI+qKiCOFAxzUySnn2UnmF2Q8w+J3QpR4ZxZNqyNa > YqF/a65W2jl2GMbNKlK1J+uy0DAxWBciSM/JjnFbyDRCuucyoI9Ckw== > =p81s > -----END PGP SIGNATURE----- > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message