Devon H. O'Dell wrote:
2010/6/29 erik quanstrom <quans...@labs.coraid.com>:
I don't understand why modern security systems have an upper limit on
passphrase length.
Because people can't remember passwords, and companies don't like
employing full-time password changers.
i don't understand this comment. the length of a password
is only vaguely related to memorability. long english phrases
are easy to remember. unfortunately, they are also easy to
harvest automaticly, so "four score and seven years ago" might
be a bad password.
The problem is two-fold:
a) Lay-people are told by all their "computer guru" friends to choose
a password that is difficult to guess. Add numbers, capital letters,
punctuation. Most people don't think in this sort of context, and it
is difficult to remember.
b) People don't regard the idea as particularly important. I know many
people who routinely forget 6-8 character passwords.
Many banks still use 4 digit PINs on their ATM cards, without problem.
Possession is a very important factor.
The token that will prevail of course is the phone - even though it
denies relying parties the billboard value of a card.
Now, will developers be smart enough to isolate the private key from the
phone's porous OS? The jury is out on that.
wk
--
Learn about The Authenticity Economy at
http://video.google.com/videoplay?docid=-1419344994607129684&hl=en#
