On 04/11/2008 09:22 AM, Scott Meyers wrote:
> Harold Fuchs wrote:
>> 1. How on earth do you keep track of all those humongous pass
>> phrases?
> 
> I use a program called Roboform (http://www.roboform.com/).  I choose
> the phrases for each site (or have it choose one for me), it does the
> remembering.

Right...

http://secunia.com/search/?search=roboform

Apparently several viruses like that fact.

> 
>> 2. Why do you consider it necessary to use >32 [non-alphanumeric]
>> characters to protect something as trivial as access to a public
>> web forum? Bank accounts, yes; public web forums, ?????
> 
> Mostly it's a matter of trying to follow good habits.  If a site
> feels that a password is important enough to require, I feel that
> it's my job to choose one that's not too easy to guess.  So I have a
> simple rule:  always include at least one space.  That way I know
> that no dictionary-based attack can succeed.  I can't always follow
> the rule, because some sites I really have to use impose restrictions
> such as the ones we've been discussing, but I do my best to follow 
> the rule and to avoid sites (or standalone software) that refuse to
> let me.

Up to 32 characters in length; valid characters are a-z, A-Z, 0-9 and
non-alphanumeric characters ([EMAIL PROTECTED]()-_=+[]{};:'"`,.|/?~). Spaces are
not permitted.

is not enough in your opinion?

This might be of interest to you:

<http://lukenotricks.blogspot.com/2008/03/counting-restricted-password-spaces.html>

> 
> My basic point is that users should be able to choose whatever
> passwords they like. I have some sympathy for sites that want to
> insist on a minimum level of security (e.g., no passwords of only one
> character or something like that), but no sympathy at all for sites
> that impose restrictions.  If I want my password to be "OOo is a
> wonderful thing", there's no good reason why I shouldn't be able to.

So file a bug.

Use the full "32 characters in length; valid characters are a-z, A-Z,
0-9 and non-alphanumeric characters ([EMAIL PROTECTED]()-_=+[]{};:'"`,.|/?~)" if
you wish. Use a throw away email account.

Here's a thought... use Calc to figure out the permutations of a
dictionary attack for the above set requirements. :-)


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to