On 8 Jan 2007 14:54:28 -0800, in bit.listserv.ibm-main
(Message-ID:<[EMAIL PROTECTED]>)
[EMAIL PROTECTED] (Don Leahy) wrote:
I've never understood why security administrators are so
fond of dreaming up password rules that only serve to
reduce the domain of acceptable passwords, thereby making
them *easier* to crack rather than harder.
For 8-character, monocase passwords, you have a
point. The general case is more complicated.
The correct usage of password rules should be to
exclude dictionary attacks while maintaining as large a
password space as possible. Requiring at least one digit
reduces the password space, but (unless the location is
specified) probably makes it harder to guess the
password. With a large enough password space, this is a
net gain in security.
I type quickly. For people like me, a long
passphrase is easier to memorize than a short password, and
is *much* harder to crack. For weak typists, this solution
may not be optimal. (I remembered one password about two
years after my last use of it. What triggered the recall
was remembering someone see me type it (obscured by
asterisks) and he remarked that that was the longest
password he had ever seen.)
Note that, IMO, optimal password makeup is on a
per-person basis. Some people memorize well; some type
well; some will have problems no matter what. A
one-size-fits-all set of rules will more often result in
written-down passwords than will allowing for several valid
schemes.
BTW, respected security experts have started saying
that you *should* write down your passwords. With the
number of different passwords the average worker needs, the
workers will either:
1. choose the same password for multiple applications (a
definite no-no); or
2. choose weak, but memorable passwords (another no-no);
or
3. forget their passwords; or
4. write their passwords.
The consensus seems to be that choice 4 is best, as
long as the written passwords are kept in a safe
location. (Mine are on an encrypted disk; I need remember
only one password to get to all of the others. Yes, that
disk, like all of my others, is backed up with a copy kept
offsite. Don't you do the same with your home PCs? If
not, why not?)
--
I cannot receive mail at the address this was sent from.
To reply directly, send to ar23hur "at" intergate "dot" com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
