Home page logo
/

basics logo Security Basics mailing list archives

Re: Suggested "safe" password length
From: No God <nogodhere () hotmail com>
Date: Wed, 19 Nov 2003 14:58:40 -0500



If you keep the number down on paper and in a place that can be taken, at
least use something to keep the dumb crooks out of it.  Please leading
numbers and trailing numbers after the PIN and make it look like a SSN or
something.  Make the numbers at least look lik they were written at the same
time and with the same ink (duh!).

For Windows passwords use some of the ALT characters which cracking tools
have a hard time with and remember where they are (between the two worded
password, at the end, etc) and then you can leave the password in cleartext
on your freaking bumper sticker and they will hopefully lock out the account
before you log on next.

Good luck....

It isn't like a token since more token authentication changes at a random
time period so if you have the token in hand it isn't going to necessarily
get you anything!
-- 

On 11/18/03 12:15, "Kenneth Buchanan" <K.Buchanan () Kastenchase com> wrote:


:)  I was waiting for someone to mention this.

Bruce Schneier advocates this approach:
"My wallet is already a secure container; it has valuable things in it, and
I have a lifetime of experience keeping it safe. Adding a piece of paper
with my passwords seems like a natural thing to do."
http://uk.biz.yahoo.com/030902/244/e7d3m.html

It actually makes a lot of sense.  A cryptic 'hard to remember' password
tends to be far more difficult to brute force, so why not just go with it,
have people write it down, and instruct them to keep the paper safe?  It
becomes a little like an authentication token.

As someone else pointed out, once they've entered it a certain number of
times they will remember it anyway, at which point they won't have to pull
out their wallets every time they need to log in.


-----Original Message-----
From: Anders Reed-Mohn [mailto:anders_rm () utepils com]
Sent: Tuesday, November 18, 2003 8:19 AM
To: security-basics () securityfocus com
Subject: Re: Suggested "safe" password length



----- Original Message -----
From: "Robert & Marina Mantle" <rwmantle () rogers com>
    True, although best practices suggest a password of at least 8
characters, too long a password and users will have a tendency of writing
them down rather than attempt to commit them to memory.


Well,  why not just let them write it down?
Put it on a piece of paper, and let them keep it in their wallet (not under
the
keyboard, naturally).

I mean..  banks trust this approach, why can't we?

Cheers,
Anders :)


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to

simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault