[TriLUG] Securely and Accurately transmit passwords

Steve Kuekes steve at kuekes.homeip.net
Tue Oct 2 09:45:06 EDT 2007


I've been using apg which is a package that has a command to generate 
random passwords that are jibberish, but pronouncable.  The man page 
documents how to make is use different algorithms to generate passwords. 
  I just run it a few times to find a password that I like.

jonc at nc.rr.com wrote:
> I agree 100% with Chris. Having a password no one can guess *but*  no one can remember is useless.
> Rule #1 when I generate a secure password is that it has to be simple to memorize.
> Rule #2 is that it has to be hard to guess.
> 
> We generally use simple phrases with numbers or symbols mixed in for spaces and other characters. This has worked for over a decade. The only problem being, that I still remember most of the passwords generated over that decade!
> 
> Jon (elephant head) Carnes
> 
> BTW: given the choice of sending the PW in email or having the PW displayed on a card taped to the laptop, I would choose email :-)
> 
> 
> ---- Chris Knowles <chrisk at trilug.org> wrote: 
> 
>>This is a very good point.
>>
>>I *almost* wouldn't blame them if the passwords were of the form
>>"s2Adf3#5^@"
>>
>>However, as directed by on high, I'm not allowed to set the passwords
>>that evilly.
>>
>>Instead I use a diceware (http://www.diceware.com/) type scheme to
>>generate the passwords.
>>
>>Two words, with a symbol or space between them.
>>
>>Thus, a typical password is "solemn+stony" (Just rolled that one up)
>>
>>While a little longer than the 6 char we require, it's much easier to
>>remember than a completely random password, and has a good level of
>>entropy.
>>
>>Well, much better than the name of their dog with a single digit after
>>it.
>>
>>As an aside, diceware is a really nice way to generate longer
>>passphrases that you can actually remember.
>>
>>CJK
>>
>>On Tue, 2007-10-02 at 15:02 +1000, Jeremy Portzer wrote:
>>
>>>Chris Knowles wrote:
>>>
>>>
>>>>Recently we've started seeing that they've taken these cards, taped them
>>>>into their laptops in plain sight.  (And occasionally annotated them
>>>>with much too much information as to what that password would buy you.)
>>>>
>>>>Since the passwords are complex, phone conversations tend to lead to a
>>>>lot of phonetic spelling and shouting.  
>>>
>>>Maybe the problem is the passwords are TOO complex requiring all but the 
>>>most anal sysadmin to refer to a written reference?  Maybe you could 
>>>consider simplifying them a bit so people can more easily remember them? 
>>>  E.g. something like "2 of the 3:  digit, capital letter, or symbol." 
>>>Something like "Must contain at least 2 of each:  digit, capital 
>>>letters, and symbols" is much harder to deal with.
>>>
>>>Also, do users pick their passwords or do you pick them arbitrarily?
>>>
>>>There are a lot of 'social' aspects to password complexity schemes that 
>>>are interesting to study.  I don't know the state-of-the-art here.
>>>
>>>--Jeremy
> 
> 

-- 
Steve Kuekes

Insight Racing - Urban Grand Challenge('07) - http://www.insightracing.org
Private Pilot: N9259R '95 Saratoga based at Sanford-Lee County Regional 
(TTA)
email: skuekes at nc.rr.com



More information about the TriLUG mailing list