From: Geoffrey (esoteric3times25.net)
Date: Tue Aug 01 2006 - 10:34:04 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

suserio.vg wrote:
> John Andersen wrote:
>> On Monday 31 July 2006 16:42, suserio.vg wrote:
>>
>>> forcing people to keep changing
>>> passwords has one single effect: People will write them down.
>> I was hoping someone would point that out.
>>
>> One longer (unchanging) password (more than ten characters) is harder to guess
>> than a monthly changing short one, which EVERY user changes via an easily
>> discernable pattern.
>>
>
> Even one step better is the idea of "passphrases" rather than passwords.
> It's much easier for someone to remember a simple phrase than
> "k4M3.HhZ". If you have, for instance, someone enamored of a certain
> Chicago sports team, their passphrase could be "Da'Bears are
> Da'Bestest!" If someone has a poor memory for things, have them pick
> something that rhymes or a mnemonic.

I take this one step further. take a longer phrase and use the first
character of each word. Throw in some type of punctuation. Do the
typical substitutions and you can generate a relatively obscure password:

There are 11 players on a football team and 9 on a baseball team.

Ta11poafta9oabt.

> To be honest, though, I haven't seen a real dictionary attack in many
> years. Mostly, it's people knocking on port 22 looking for a
> passwordless account. (Or ones with the password "password" or "guest")

I'd say that's just a very small dictionary they're working from. :)

--
Until later, Geoffrey

Any society that would give up a little liberty to gain a little
security will deserve neither and lose both. - Benjamin Franklin

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]