On 04/11/2008 09:22 AM, Scott Meyers wrote: > Harold Fuchs wrote: >> 1. How on earth do you keep track of all those humongous pass >> phrases? > > I use a program called Roboform (http://www.roboform.com/). I choose > the phrases for each site (or have it choose one for me), it does the > remembering.
Right... http://secunia.com/search/?search=roboform Apparently several viruses like that fact. > >> 2. Why do you consider it necessary to use >32 [non-alphanumeric] >> characters to protect something as trivial as access to a public >> web forum? Bank accounts, yes; public web forums, ????? > > Mostly it's a matter of trying to follow good habits. If a site > feels that a password is important enough to require, I feel that > it's my job to choose one that's not too easy to guess. So I have a > simple rule: always include at least one space. That way I know > that no dictionary-based attack can succeed. I can't always follow > the rule, because some sites I really have to use impose restrictions > such as the ones we've been discussing, but I do my best to follow > the rule and to avoid sites (or standalone software) that refuse to > let me. Up to 32 characters in length; valid characters are a-z, A-Z, 0-9 and non-alphanumeric characters ([EMAIL PROTECTED]()-_=+[]{};:'"`,.|/?~). Spaces are not permitted. is not enough in your opinion? This might be of interest to you: <http://lukenotricks.blogspot.com/2008/03/counting-restricted-password-spaces.html> > > My basic point is that users should be able to choose whatever > passwords they like. I have some sympathy for sites that want to > insist on a minimum level of security (e.g., no passwords of only one > character or something like that), but no sympathy at all for sites > that impose restrictions. If I want my password to be "OOo is a > wonderful thing", there's no good reason why I shouldn't be able to. So file a bug. Use the full "32 characters in length; valid characters are a-z, A-Z, 0-9 and non-alphanumeric characters ([EMAIL PROTECTED]()-_=+[]{};:'"`,.|/?~)" if you wish. Use a throw away email account. Here's a thought... use Calc to figure out the permutations of a dictionary attack for the above set requirements. :-) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
