[TriLUG] Securely and Accurately transmit passwords
jonc at nc.rr.com
jonc at nc.rr.com
Tue Oct 2 08:42:37 EDT 2007
I agree 100% with Chris. Having a password no one can guess *but* no one can remember is useless.
Rule #1 when I generate a secure password is that it has to be simple to memorize.
Rule #2 is that it has to be hard to guess.
We generally use simple phrases with numbers or symbols mixed in for spaces and other characters. This has worked for over a decade. The only problem being, that I still remember most of the passwords generated over that decade!
Jon (elephant head) Carnes
BTW: given the choice of sending the PW in email or having the PW displayed on a card taped to the laptop, I would choose email :-)
---- Chris Knowles <chrisk at trilug.org> wrote:
> This is a very good point.
>
> I *almost* wouldn't blame them if the passwords were of the form
> "s2Adf3#5^@"
>
> However, as directed by on high, I'm not allowed to set the passwords
> that evilly.
>
> Instead I use a diceware (http://www.diceware.com/) type scheme to
> generate the passwords.
>
> Two words, with a symbol or space between them.
>
> Thus, a typical password is "solemn+stony" (Just rolled that one up)
>
> While a little longer than the 6 char we require, it's much easier to
> remember than a completely random password, and has a good level of
> entropy.
>
> Well, much better than the name of their dog with a single digit after
> it.
>
> As an aside, diceware is a really nice way to generate longer
> passphrases that you can actually remember.
>
> CJK
>
> On Tue, 2007-10-02 at 15:02 +1000, Jeremy Portzer wrote:
> > Chris Knowles wrote:
> >
> > > Recently we've started seeing that they've taken these cards, taped them
> > > into their laptops in plain sight. (And occasionally annotated them
> > > with much too much information as to what that password would buy you.)
> > >
> > > Since the passwords are complex, phone conversations tend to lead to a
> > > lot of phonetic spelling and shouting.
> >
> > Maybe the problem is the passwords are TOO complex requiring all but the
> > most anal sysadmin to refer to a written reference? Maybe you could
> > consider simplifying them a bit so people can more easily remember them?
> > E.g. something like "2 of the 3: digit, capital letter, or symbol."
> > Something like "Must contain at least 2 of each: digit, capital
> > letters, and symbols" is much harder to deal with.
> >
> > Also, do users pick their passwords or do you pick them arbitrarily?
> >
> > There are a lot of 'social' aspects to password complexity schemes that
> > are interesting to study. I don't know the state-of-the-art here.
> >
> > --Jeremy
More information about the TriLUG
mailing list