Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 15 Jan 2001 11:41:50 -0800 (PST)
From:      Brian <bri@cx175057-a.ocnsd1.sdca.home.com>
To:        David Talkington <dtalk@prairienet.org>
Cc:        security@FreeBSD.ORG
Subject:   Re: opinions on password policies
Message-ID:  <Pine.BSF.4.21.0101151141150.1704-100000@cx175057-a.ocnsd1.sdca.home.com>
In-Reply-To: <Pine.LNX.4.30.0101151212030.19013-100000@sherman.spotnet.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Don't you need to do special stuff on some unix flavors to allow more than
8 characters??

	Bri

On Mon, 15 Jan 2001, David Talkington wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Steve Reid wrote:
> >On Sat, Jan 13, 2001 at 05:35:51PM -0600, Frank Tobin wrote:
> >> If forced to remember another password, most users (including myself)
> >> will often re-use a password they use at another place.
> >
> >If you let a user pick a password, nine times out of ten they will pick
> >a word or name, and if you're lucky they might append a single digit or
> >"123".
> >Of course, nobody wants to go to the trouble of memorizing a random
> >eight-character alphanumeric string. So, users are instructed to write
> >down the password on a small slip of paper.
> 
> One interesting technique is the one I picked up from Martin Wolske,
> and it addressess all the above issues.  Pick a very long phrase or
> sentence, unrelated to you personally, and with lots of punctuation,
> but that you won't forget.  Now choose 8 or 10 characters from it at
> random, and write down their positions (say, the first, fourth, 14th,
> 20th, 19th, 31st, 10th, 8th, 39th).
> 
> Now, as long as the original phrase is sufficiently long and
> unguessable: 1) it can be a common phrase in your native language; 2)
> you can reuse it safely for much longer than a single password; 3) you
> can write the keys down anywhere you like -- 1,4,14,20,19,31,10,8,39
> means nothing to anyone but you; 4) you can pick a different one for
> each system, and post it right on your monitor.
> 
> An intruder would probably have to brute-force your password on
> several systems before he or she could piece together the original
> phrase (like Wheel Of Fortune =), by which time the wise administrator
> has already moved on to a different phrase.
> 
> Of course, the convenience of this scheme depends on your ability to
> quickly count character positions in your head ...
> 
> - -d
> 
> - -- 
> David Talkington
> Prairienet
> dtalk@prairienet.org
> 217-244-1962
> 
> PGP key: http://www.prairienet.org/~dtalk/dt000823.asc
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
> Comment: Made with pgp4pine 1.75-6
> 
> iQEVAwUBOmNBvr1ZYOtSwT+tAQFwSwf+JTdkprhPHDm561umxzgZ7HBXbc7Ibs3N
> wcyXL0Y00ZsXylczMCDJcFqvL2Vmk9WWui4qw4r5mj3irsAcdjYCxK4qukR46yxB
> rvun/hKcyhp+W30VjQaE+SDzm5pxxMMIbtfzv8IAdlbusaEpRHSWK6289UPYr5IL
> SPlmT50+n/lnIIC0sH3m4eauwYWPTAgzSbO/4UE60LcZAb5aMnqWFYM6dGrTfkLk
> dF7X0DWjfrpzAi9vcfvFrzHxI+qKiCOFAxzUySnn2UnmF2Q8w+J3QpR4ZxZNqyNa
> YqF/a65W2jl2GMbNKlK1J+uy0DAxWBciSM/JjnFbyDRCuucyoI9Ckw==
> =p81s
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0101151141150.1704-100000>