[TriLUG] Securely and Accurately transmit passwords

Chris Knowles chrisk at trilug.org
Tue Oct 2 08:27:16 EDT 2007


This is a very good point.

I *almost* wouldn't blame them if the passwords were of the form
"s2Adf3#5^@"

However, as directed by on high, I'm not allowed to set the passwords
that evilly.

Instead I use a diceware (http://www.diceware.com/) type scheme to
generate the passwords.

Two words, with a symbol or space between them.

Thus, a typical password is "solemn+stony" (Just rolled that one up)

While a little longer than the 6 char we require, it's much easier to
remember than a completely random password, and has a good level of
entropy.

Well, much better than the name of their dog with a single digit after
it.

As an aside, diceware is a really nice way to generate longer
passphrases that you can actually remember.

CJK

On Tue, 2007-10-02 at 15:02 +1000, Jeremy Portzer wrote:
> Chris Knowles wrote:
> 
> > Recently we've started seeing that they've taken these cards, taped them
> > into their laptops in plain sight.  (And occasionally annotated them
> > with much too much information as to what that password would buy you.)
> > 
> > Since the passwords are complex, phone conversations tend to lead to a
> > lot of phonetic spelling and shouting.  
> 
> Maybe the problem is the passwords are TOO complex requiring all but the 
> most anal sysadmin to refer to a written reference?  Maybe you could 
> consider simplifying them a bit so people can more easily remember them? 
>   E.g. something like "2 of the 3:  digit, capital letter, or symbol." 
> Something like "Must contain at least 2 of each:  digit, capital 
> letters, and symbols" is much harder to deal with.
> 
> Also, do users pick their passwords or do you pick them arbitrarily?
> 
> There are a lot of 'social' aspects to password complexity schemes that 
> are interesting to study.  I don't know the state-of-the-art here.
> 
> --Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20071002/e40b5179/attachment.pgp>


More information about the TriLUG mailing list