Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: SPAM: Re: [suse-security] password memory
From: Geoffrey (esoteric3times25.net)
Date: Tue Aug 01 2006 - 10:34:04 CDT
> John Andersen wrote:
>> On Monday 31 July 2006 16:42, suserio.vg wrote:
>>> forcing people to keep changing
>>> passwords has one single effect: People will write them down.
>> I was hoping someone would point that out.
>> One longer (unchanging) password (more than ten characters) is harder to guess
>> than a monthly changing short one, which EVERY user changes via an easily
>> discernable pattern.
> Even one step better is the idea of "passphrases" rather than passwords.
> It's much easier for someone to remember a simple phrase than
> "k4M3.HhZ". If you have, for instance, someone enamored of a certain
> Chicago sports team, their passphrase could be "Da'Bears are
> Da'Bestest!" If someone has a poor memory for things, have them pick
> something that rhymes or a mnemonic.
I take this one step further. take a longer phrase and use the first
character of each word. Throw in some type of punctuation. Do the
typical substitutions and you can generate a relatively obscure password:
There are 11 players on a football team and 9 on a baseball team.
> To be honest, though, I haven't seen a real dictionary attack in many
> years. Mostly, it's people knocking on port 22 looking for a
> passwordless account. (Or ones with the password "password" or "guest")
I'd say that's just a very small dictionary they're working from. :)
Until later, Geoffrey
Any society that would give up a little liberty to gain a little
security will deserve neither and lose both. - Benjamin Franklin
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here