[TriLUG] Securely and Accurately transmit passwords

jonc at nc.rr.com jonc at nc.rr.com
Tue Oct 2 08:42:37 EDT 2007


I agree 100% with Chris. Having a password no one can guess *but*  no one can remember is useless.
Rule #1 when I generate a secure password is that it has to be simple to memorize.
Rule #2 is that it has to be hard to guess.

We generally use simple phrases with numbers or symbols mixed in for spaces and other characters. This has worked for over a decade. The only problem being, that I still remember most of the passwords generated over that decade!

Jon (elephant head) Carnes

BTW: given the choice of sending the PW in email or having the PW displayed on a card taped to the laptop, I would choose email :-)


---- Chris Knowles <chrisk at trilug.org> wrote: 
> This is a very good point.
> 
> I *almost* wouldn't blame them if the passwords were of the form
> "s2Adf3#5^@"
> 
> However, as directed by on high, I'm not allowed to set the passwords
> that evilly.
> 
> Instead I use a diceware (http://www.diceware.com/) type scheme to
> generate the passwords.
> 
> Two words, with a symbol or space between them.
> 
> Thus, a typical password is "solemn+stony" (Just rolled that one up)
> 
> While a little longer than the 6 char we require, it's much easier to
> remember than a completely random password, and has a good level of
> entropy.
> 
> Well, much better than the name of their dog with a single digit after
> it.
> 
> As an aside, diceware is a really nice way to generate longer
> passphrases that you can actually remember.
> 
> CJK
> 
> On Tue, 2007-10-02 at 15:02 +1000, Jeremy Portzer wrote:
> > Chris Knowles wrote:
> > 
> > > Recently we've started seeing that they've taken these cards, taped them
> > > into their laptops in plain sight.  (And occasionally annotated them
> > > with much too much information as to what that password would buy you.)
> > > 
> > > Since the passwords are complex, phone conversations tend to lead to a
> > > lot of phonetic spelling and shouting.  
> > 
> > Maybe the problem is the passwords are TOO complex requiring all but the 
> > most anal sysadmin to refer to a written reference?  Maybe you could 
> > consider simplifying them a bit so people can more easily remember them? 
> >   E.g. something like "2 of the 3:  digit, capital letter, or symbol." 
> > Something like "Must contain at least 2 of each:  digit, capital 
> > letters, and symbols" is much harder to deal with.
> > 
> > Also, do users pick their passwords or do you pick them arbitrarily?
> > 
> > There are a lot of 'social' aspects to password complexity schemes that 
> > are interesting to study.  I don't know the state-of-the-art here.
> > 
> > --Jeremy




More information about the TriLUG mailing list