On Tue, 2006-01-17 at 20:31 +0100, Paweł Madej wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mark Rudholm wrote: > > Benjamin Smee (strerror) wrote: > > > > I feel compelled to point out that 8-character passwords, > > no matter their composition, aren't really that strong > > anymore. Also, forcing users to use special characters > > and change passwords frequently only guarantees that they > > will write them down, often not in secure places. > > > > You might consider having users use longer passwords > > (a passphrase). They're easier for a user to remember, > > so they're less likely to write them down. They're also > > far more resistant to brute force attacks and guessing. > > Also consider that if you require two capital letters, > > 2 numbers, and 2 special characters, you've just reduced > > the number of possible 8-character passwords quite > > significantly. > > In some case yes, but you have to take into acount that [a-zA-Z0-9] and > special signs that is very big volume of possible combinations. In this > case I think that it is much more secure than 12 [a-zA-Z] password which > could be named passphrase. > > > It's usually very easy for a user to remember something > > like 'My child flies kites.' but if you make them use > > things like '^3!kX$1a' and force changes every couple > > of months, they *will* write it on a post-it note and > > stick it in their desk drawer or on their display.
As random as that example password I used was, it doesn't meet your critieria for a 'strong password' (it doesn't have two capital letters). > In this case I have to say that it is 100% right because users are very > lazy, they don't want to think. Social effect is the biggest hole in > every security. > So I what you propose Mark? Setting only minimum lenght to 12 ? 15 signs > and leave users to choose which signs they want to use to make their > passphrase? Well, if I were designing a password policy, I'd probably set the minimum length to 11 characters of any sort, set either no password expiry or a very long one, and include password management in the basic security training I gave users. In that training, I'd explain passphrases and that users shouldn't write them down. I'd discuss how to avoid phishing and spyware, and what to do with emailed attachments. Any one of these could be an attacker's entry point. -Mark -- [email protected] mailing list
