Home page logo

basics logo Security Basics mailing list archives

Re[2]: Suggested "safe" password length
From: Vishal <dhrakol () myrealbox com>
Date: Thu, 20 Nov 2003 22:24:21 -0500

Hi Anders

Thursday, November 20, 2003, 4:56:36 AM, you wrote:

one of the last places it should go is in their wallet. Why? Because your
wallet already gives away so much information about you.

ARM> But how will this affect the password security?
ARM> You might say that keeping the password in the wallet would be a risk,
ARM> because even if the password-note says nothing about _where_ that password
ARM> is used,

People often reuse passwords. Knowing a password works in one place is often a good
step towards knowing passwords that work in other places.

ARM> And if your wallet is stolen by someone who's actually after that
ARM> password, well, then he already knew who you were, where you work and
ARM> where that password fits,

Not necessarily. He could know that it fits *one of* several places. He might
try that password in a few of the places you have access to, hoping to get in
somewhere. This might have been his aim in the first place. It may also turn
out to be a useful stepping stone in getting to where he does need to go.

Even if you don't happen to have the password to the particular place he's
interested in written down, the extra information could help him make some
good guesses. Which, if he's in the movies, will work flawlessly at the third
try :)

ARM> Also, people will notice that their wallets are gone. Thus, they can
ARM> alert sysadms, and have them close their account/change the password.

This is a valid point.

ARM> Not if your job depends on it.

Everyone gets complacent, lazy or forgetful once in a while, no matter the
consequences. Or I might simply have my mind on something else.

Another good option is to maintain a PGP encrypted text file of passwords.
That way the user only needs to remember one PGP passphrase.

ARM> Why is this any different than "constantly having to rifle through [your
ARM> wallet] for a password list"?

Because you can memorize that one passphrase. There isn't the chance of
leaving it lying around like a wallet.





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]