Security Basics mailing list archives

Re[2]: Suggested "safe" password length

From: Vishal <dhrakol () myrealbox com>
Date: Wed, 19 Nov 2003 13:20:35 -0500

Hi Peter

Tuesday, November 18, 2003, 12:04:19 PM, you wrote:

PS> Actually, banks generally admonish customers specifically not to keep their
PS> PINs with their cards (which usually reside in customers' wallets).

Yes, this is about the worst thing you could do. ATMs use two-factor
authentication - "something you have", which is your card, and "something you
know", which is the PIN. If both are kept together, the system fails when
you lose your wallet.

There is actually a third factor as well - the camera. But this is only used
in tracking down incidents of misuse that have already occurred.

PS> If someone has to write down a password one of the last places it should
PS> go is in their wallet. Why? Because your wallet already gives away so much
PS> information about you.

<snip>..

PS> It's easy to leave a wallet on a desk if you're constantly having to rifle
PS> through it for a password list. And remember, where to women that carry
PS> purses usually leave their wallets? And where are those purses most of the
PS> time? Naturally, the purse lives under the desk, under the keyboard. So,
PS> in quite a few cases, the password in the wallet is nearly as convenient
PS> as the password under the keyboard.

Very valid points, and ones which counter Schneier's advocation of keeping
passwords in your wallet. His follow-up suggestion, that there be two parts to
the password - one written down, and one that you remember - works though.
Assuming of course that people will go to the trouble of remembering a
reasonably complex part to remember. If they just add their wife's birthday on
to everything they've written down, this fails too.

PS> Assuming the password is meant for business purposes your best bet may be
PS> allowing employees to seal them in envelopes and store them in a safe.

This may be inconvenient, though. If they need these frequently, they'll be
tempted to keep a personal copy somewhere. You can guess where :)

PS> Another good option is to maintain a PGP encrypted text file of passwords.

Alternatively, use one of the password storage programs available. Preferably
pick one using a well-known, standard encryption algorithm.

PS> Of course by far the best answer in the long run is to use something other
PS> than passwords for authentication.

I agree. Or move to two-or three-factor authentication systems.

Cheers,

-- 
Vishal 


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Suggested "safe" password length Ashish Sharma (Nov 13)
- RE: Suggested "safe" password length Michael LaSalvia (Nov 14)
  - RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 14)
  - RE: Suggested "safe" password length Enquiries (Nov 16)
  - Re: Suggested "safe" password length Robert & Marina Mantle (Nov 17)
    - Re: Suggested "safe" password length Anders Reed-Mohn (Nov 18)
    - Re: Suggested "safe" password length Peter Schawacker (Nov 18)
    - Re[2]: Suggested "safe" password length Vishal (Nov 20)
    - Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
    - Re[2]: Suggested "safe" password length Vishal (Nov 21)
  - Re: Suggested "safe" password length Hollis Johnson (Nov 17)
- Re: Suggested "safe" password length Alessandro (Nov 16)
- Re: Suggested "safe" password length Tomas Wolf (Nov 17)
  - Re: Suggested "safe" password length Steve (Nov 17)
- <Possible follow-ups>
- Re: Suggested "safe" password length Patrick M Darienzo Jr (Nov 16)
  - RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length JohnNicholson (Nov 16)
  - RE: Suggested "safe" password length Ben Cain (Nov 17)

(Thread continues...)