Home page logo

basics logo Security Basics mailing list archives

Re[2]: Suggested "safe" password length
From: Vishal <dhrakol () myrealbox com>
Date: Wed, 19 Nov 2003 13:20:35 -0500

Hi Peter

Tuesday, November 18, 2003, 12:04:19 PM, you wrote:

PS> Actually, banks generally admonish customers specifically not to keep their
PS> PINs with their cards (which usually reside in customers' wallets).

Yes, this is about the worst thing you could do. ATMs use two-factor
authentication - "something you have", which is your card, and "something you
know", which is the PIN. If both are kept together, the system fails when
you lose your wallet.

There is actually a third factor as well - the camera. But this is only used
in tracking down incidents of misuse that have already occurred.

PS> If someone has to write down a password one of the last places it should
PS> go is in their wallet. Why? Because your wallet already gives away so much
PS> information about you.


PS> It's easy to leave a wallet on a desk if you're constantly having to rifle
PS> through it for a password list. And remember, where to women that carry
PS> purses usually leave their wallets? And where are those purses most of the
PS> time? Naturally, the purse lives under the desk, under the keyboard. So,
PS> in quite a few cases, the password in the wallet is nearly as convenient
PS> as the password under the keyboard.

Very valid points, and ones which counter Schneier's advocation of keeping
passwords in your wallet. His follow-up suggestion, that there be two parts to
the password - one written down, and one that you remember - works though.
Assuming of course that people will go to the trouble of remembering a
reasonably complex part to remember. If they just add their wife's birthday on
to everything they've written down, this fails too.

PS> Assuming the password is meant for business purposes your best bet may be
PS> allowing employees to seal them in envelopes and store them in a safe.

This may be inconvenient, though. If they need these frequently, they'll be
tempted to keep a personal copy somewhere. You can guess where :)

PS> Another good option is to maintain a PGP encrypted text file of passwords.

Alternatively, use one of the password storage programs available. Preferably
pick one using a well-known, standard encryption algorithm.

PS> Of course by far the best answer in the long run is to use something other
PS> than passwords for authentication.

I agree. Or move to two-or three-factor authentication systems.




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]