I know I was taught by a shockingly sane network engineer that the easy way to develop hard to crack passwords was to choose a regular word of the right length in your native language and then substitute number(s) and punctuation marks as appropriate and capitalize either the first or last letter. As long as you use consistent substitutions, all you have to remember is the word. So, for example, "Olympics" becomes "0!ymp1cS" and in all my passwords O becomes 0, L becomes !, I becomes 1 and so forth. Not all users have to use the same set of substitutions, but each user needs to be consistent from one password to the next, otherwise it's yet another memory problem.
Is there a problem with recommending -- perhaps on a "help" linked page -- such a method to users? At 2:24 PM -0500 2/19/08, mark schraad wrote: >Hey Kenny, >I worked in the field (computer security) for a couple of years. In the >simplest terms, the continuum is between ease of use, and security. Just as >you state... the extremes are not good. Easy to use = easy to crack. Hard to >crack = hard to remember. Forcing any or all of those criteria is pretty >harsh unless the sit has a lot of liability. Suggesting those as 'tips' for >a more secure password offers the user a lot of flexibility. > >Mark > >On Feb 19, 2008 11:33 AM, Kenny Kutney <[EMAIL PROTECTED]> wrote: > >> Thought maybe I could garner some opinions on the usability of >> password enforcement techniques. >> >> Recently, I've noticed a trend towards more "secure" passwords for >> many things, and that's a good idea. However, I've also noticed that >> certain web sites take that to an extreme, disallowing the use of any >> password that does not meet their criteria. Often, these criteria are >> also extreme. >> >> For example, one web-based product (non-financial) refused to allow >> me to enter a password that did not have ALL of: >> - at least one capital letter >> - at least one numeric >> - at least one non-alpha character >> - at least 8 characters >> >> Clearly, this would produce a reasonably secure password, but I'd >> never remember it!!! I prefer Google's approach, where a graphic >> indicator shows me the "strength" of my password, but lets me choose >> anything I want. >> >> Would certainly love to hear the group's thoughts on this... >> >> -- >> kenny kutney >> [EMAIL PROTECTED] >> >> ________________________________________________________________ >> Welcome to the Interaction Design Association (IxDA)! >> To post to this list ....... [EMAIL PROTECTED] >> Unsubscribe ................ http://www.ixda.org/unsubscribe >> List Guidelines ............ http://www.ixda.org/guidelines >> List Help .................. http://www.ixda.org/help >> >________________________________________________________________ >Welcome to the Interaction Design Association (IxDA)! >To post to this list ....... [EMAIL PROTECTED] >Unsubscribe ................ http://www.ixda.org/unsubscribe >List Guidelines ............ http://www.ixda.org/guidelines >List Help .................. http://www.ixda.org/help -- ---------------- Katie Albers [EMAIL PROTECTED] ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [EMAIL PROTECTED] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
