-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Rudholm wrote: > Benjamin Smee (strerror) wrote: > > I feel compelled to point out that 8-character passwords, > no matter their composition, aren't really that strong > anymore. Also, forcing users to use special characters > and change passwords frequently only guarantees that they > will write them down, often not in secure places. > > You might consider having users use longer passwords > (a passphrase). They're easier for a user to remember, > so they're less likely to write them down. They're also > far more resistant to brute force attacks and guessing. > Also consider that if you require two capital letters, > 2 numbers, and 2 special characters, you've just reduced > the number of possible 8-character passwords quite > significantly.
In some case yes, but you have to take into acount that [a-zA-Z0-9] and special signs that is very big volume of possible combinations. In this case I think that it is much more secure than 12 [a-zA-Z] password which could be named passphrase. > It's usually very easy for a user to remember something > like 'My child flies kites.' but if you make them use > things like '^3!kX$1a' and force changes every couple > of months, they *will* write it on a post-it note and > stick it in their desk drawer or on their display. In this case I have to say that it is 100% right because users are very lazy, they don't want to think. Social effect is the biggest hole in every security. So I what you propose Mark? Setting only minimum lenght to 12 ? 15 signs and leave users to choose which signs they want to use to make their passphrase? > -Mark - -- Paweł Madej aka Nysander Member of QuanTeam | RLU #357047 http://wiki.quanteam.info | Gentoo Linux User http://forum-farmaceutyczne.org | GPG key: 5861680B | keyserver: http://pgp.mit.edu Kielce, Poland | UTF-8 Email Preferred Looking to buy: 6x 73 GB UW3/Ultra160 SCSI 80 pin (SCA) ..::||::.. pair of PentiumIII Slot1 1GHz/ FSB 100 processors ..::||::.. 2x 256 MB SDRAM ECC Registered Got any of this mail me, with prize and shipping costs. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDzUYngvSMglhhaAsRAnyPAKCEXQnSKxXmJ8yEYUeRakL96YbgjQCgkXkT 9G/LmnG19hEiCyEsep6HzIw= =nLDz -----END PGP SIGNATURE----- -- [email protected] mailing list
