On 2011/04/26 16:35, Bruce Johnson so eloquently wrote:
On Apr 26, 2011, at 1:34 PM, Tina K. wrote:


It doesn't have to be complex. Using a random generator such as
RPG and an*encrypted*  password repository such as Pastor,
PasswordWallet, Keychain Access, 1Password, etc… provides good
security without having to resort to memorizing or writing them
down.
Sigh. Never EVER EVER rely on a single encrypted source to remember
important stuff like passwords. A plain text (as in written on a
piece of paper!) backup, locked securely away is important. What if
something happens to the encrypted file? You're SOL. (and that goes
10X higher if you're a compamny and it was the root password for the
'Accounts Receivable' DB.)

Even a plain text printout of your passwords locked 'securely' away is not completely infallible. I use PasswordWallet and 1Password, both have all the same passwords and they are each backed up three times over, once offsite.

"Hey look!8-)  it's sn0w1ng Macintoshes outside!" is AS SECURE as
anything RPG will generate, because while it's true that a truly
random password string is more secure against cracking, the
passphrase chosen is secure enough. And more importantly, I NEVER
need to write it down....

The bestest, mostest random password RPG will ever give you is
USELESS if the method of cracking in doesn't involve cracking the
password, but a social engineering attack, a MITM attack, a
keylogger, etc.

Yep, you can't eliminate human mistakes completely. But we do the best we can, trying not to fall for phish attacks, locking the screen when walking away from the machine, being smart about what & where you download something, etc… Strong random character passwords are only one ingredient in the security pie.

Far too many people fetishize long, random passwords as teh shizzle
of computer security, when they're not (and there's not a whole lot
of evidence that they've been all that good at preventing compromise
in the first place, mainly because of the human element).

Correct me if I'm wrong, but it is my impression that the longer the password the longer it takes to crack.

This is why banks (among other reasons like people using 'password'
for their passwords) have moved to multi-factor authentication. you
need to enter your username/password AND the little picture needs to
be correct; or they use RSA dongles. (themselves hacked at a higher
level. RSA*claims*  that SecurID is ok, but I'll wager there was a
mass need for pants dry-cleaning
there...<http://www.schneier.com/blog/archives/2011/03/rsa_security_in.html>)

I would say that some forms of multi-factor authentication can actually hinder security. My CU switched to using login name, password, and personal information challenge. This has forced me to use the same phrase for all the questions because my favorite movie changes over time, I don't remember my first teacher's name, my mother's maiden name is public record, and so on.

IMO this is much more of a hindrance than strong random passwords.

Tina

--

iMac 20" USB 2 1.25GHz G4 2GB RAM GeForceFX5200 Ultra 64MB VRAM 10.4.11

PB G4 15" HR-DLSD 1.67GHz G4 2GB RAM Radeon 9700 128MB VRAM 10.4.11

Mac Pro Mid-2010 2.8 GHz QC 6 GB RAM Radeon HD 5770 1GB VRAM 10.6.7

--
You received this message because you are a member of G-Group, a group for 
those using G3, G4, and G5 desktop Macs - with a particular focus on Power Macs.
The list FAQ is at http://lowendmac.com/lists/g-list.shtml and our netiquette 
guide is at http://www.lowendmac.com/lists/netiquette.shtml
To post to this group, send email to g3-5-list@googlegroups.com
For more options, visit this group at http://groups.google.com/group/g3-5-list

Reply via email to