Thought maybe I could garner some opinions on the usability of
password enforcement techniques.
Recently, I've noticed a trend towards more secure passwords for
many things, and that's a good idea. However, I've also noticed that
certain web sites take that to an extreme, disallowing the
Hey Kenny,
I worked in the field (computer security) for a couple of years. In the
simplest terms, the continuum is between ease of use, and security. Just as
you state... the extremes are not good. Easy to use = easy to crack. Hard to
crack = hard to remember. Forcing any or all of those criteria
I know I was taught by a shockingly sane network engineer that the
easy way to develop hard to crack passwords was to choose a regular
word of the right length in your native language and then substitute
number(s) and punctuation marks as appropriate and capitalize either
the first or last
The problem with this trend (and I'm seeing it as such, too, Kenny)
is that it presumes that more security is always better. But in many
use cases (blogs, mailing lists, software tech support), such
stringent security can be ridiculous and inconvenient.
Security is not just protection. It's also
yes but passwords like those you describe are prone to hacking as they
contain dictionary words that some brute force password crackers use to
increase their chances of cracking passwords.
On Feb 19, 2008 3:10 PM, Anthony Hempell [EMAIL PROTECTED] wrote:
Another strategy is to create memorable
Another strategy is to create memorable Name/Number combinations that
are part of a larger set that can be mined for almost infinite
password ideas, such as:
Car make / year (Cadillac77 or Mustang!56)
Athlete / number (Jordan23 or Gretzky!99)
etc
On 19-Feb-08, at 12:00 PM, Katie
Yeah. Depends on what your securing and from whom. Good combo is the
old biometric plus passphrase plus mutating challenge-response. But 99.9
don't require it since most people will willingly give up their pw
through social engineering and cmps capable of brute force are too
busy