Home page logo

basics logo Security Basics mailing list archives

Re: Suggested "safe" password length
From: "Anders Reed-Mohn" <anders_rm () utepils com>
Date: Thu, 20 Nov 2003 10:56:36 +0100

Actually, banks generally admonish customers specifically not to keep
PINs with their cards (which usually reside in customers' wallets).

True, but several banks have Internet-banking services that authenticate the
based on a PIN, and a card with a certain amount of codes on it. (Dunno what
cards are called in english.) Once you've used all the codes, you get a new
card from
the bank with new. Sort of a one-time pad thingy...
Loose the card, and you've only lost a few possible codes. As well, the
number of
codes on the card is high enough to make the job of guessing the right one
enough (high number of failed attempts will alert the bank).

one of the last places it should go is
in their wallet. Why?  Because your wallet already gives away so much
information about you.

But how will this affect the password security?
You might say that keeping the password in the wallet would be a risk,
because even if the password-note says nothing about _where_ that password
is used, your wallet might contain information such as your business card,
again tells someone where you work, and let's the have a guess at where that
However, that is a very theoretical risk, and not one I would consider in
Why? Well, the random pick-pocket is not looking for passwords, and probably
doesn't care
if he finds one, even if he does understand what it is. So, he's not going
to be much of a threat.
And if your wallet is stolen by someone who's actually after that password,
well, then he
already knew who you were, where you work and where that password fits, so
the extra
info in the wallet has no extra value for him.
Keeping the password on your person raises the bar for the thief, and that's
the effect we're after,
(besides enabling a user to have stronger passwords).
Also, people will notice that their wallets are gone. Thus, they can alert
sysadms, and have them
close their account/change the password.

It's easy to leave a wallet on a desk if
you're constantly having to rifle through it for a password list.

Not if your job depends on it.
Besides, many companies do not auto-lock idle workstations, and users
sure don't  care to do it themselves. So, if you leave your office, I don't
need your password to get into you computer.

suming the password is meant for business purposes your best bet may be
allowing employees to seal them in envelopes and store them in a safe.

and have to make a new envelope per person, per day?
Naah.. don't think so.

Another good option is to maintain a PGP encrypted text file of passwords.
That way the user only needs to remember one PGP passphrase.

Why is this any different than "constantly having to rifle through [your
for a password list"?

Of course by far the best answer in the long run is to use something other
than passwords for authentication.

Couldn't agree more. Though since biometrics still suck, I don't know what
alternative is.

Anders :)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]