Home page logo
/

basics logo Security Basics mailing list archives

Re: Suggested "safe" password length
From: "Peter Schawacker" <peter () schawacker com>
Date: Tue, 18 Nov 2003 09:04:19 -0800

Actually, banks generally admonish customers specifically not to keep their
PINs with their cards (which usually reside in customers' wallets).  If
someone has to write down a password one of the last places it should go is
in their wallet. Why?  Because your wallet already gives away so much
information about you.  Why add more to it?  Even your keyboard doesn't have
your drivers license and credit card numbers attached.  And don't assume
that your wallet is secure just because you sit on it most of the time.
Have you ever lost a wallet?  It's easy to leave a wallet on a desk if
you're constantly having to rifle through it for a password list.  And
remember, where to women that carry purses usually leave their wallets?  And
where are those purses most of the time?  Naturally, the purse lives under
the desk, under the keyboard.  So, in quite a few cases, the password in the
wallet is nearly as convenient as the password under the keyboard.

Assuming the password is meant for business purposes your best bet may be
allowing employees to seal them in envelopes and store them in a safe.
Another good option is to maintain a PGP encrypted text file of passwords.
That way the user only needs to remember one PGP passphrase.    The ultra
paranoid can split each password between two envelopes and place them in two
safes operated by different managers -- preferably competing managers or
ones that work in different disciplines.

Of course by far the best answer in the long run is to use something other
than passwords for authentication.

Peter


----- Original Message ----- 
From: "Anders Reed-Mohn" <anders_rm () utepils com>
To: <security-basics () securityfocus com>
Sent: Tuesday, November 18, 2003 5:18 AM
Subject: Re: Suggested "safe" password length



----- Original Message ----- 
From: "Robert & Marina Mantle" <rwmantle () rogers com>
    True, although best practices suggest a password of at least 8
characters, too long a password and users will have a tendency of
writing
them down rather than attempt to commit them to memory.


Well,  why not just let them write it down?
Put it on a piece of paper, and let them keep it in their wallet (not
under
the
keyboard, naturally).

I mean..  banks trust this approach, why can't we?

Cheers,
Anders :)


--------------------------------------------------------------------------
-
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security
to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
--------------------------------------------------------------------------
--



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]