OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: SPAM: Re: SPAM: Re: [suse-security] password memory

From: Geoffrey (esoteric3times25.net)
Date: Tue Aug 01 2006 - 16:04:50 CDT

suserio.vg wrote:
> Geoffrey wrote:
>> I take this one step further. take a longer phrase and use the first
>> character of each word. Throw in some type of punctuation. Do the
>> typical substitutions and you can generate a relatively obscure password:
>>
>> There are 11 players on a football team and 9 on a baseball team.
>>
>> Ta11poafta9oabt.
>>
>
> It's clever and nifty but users hate it. You see, it means that every
> time they type in their password, they have to think about it, and will
> frequently make typing errors, increasing frustration as they run
> through it constantly wondering if they maybe missed a letter or
> mistyped, since they can't see what they're typing. For a tech, it's a
> good system, for the average user, they hate it.

Then they should get over it. Come on, it's not all that difficult.
If you're going to have a long password, it's best to have a way to
remember. My 15 year old daughter uses this approach and if she can do
it, I'd suggest any adult should. Let's face it, there's not an easy
way of forcing good passwords. Create a policy that works, even if it's
a bit painful. That's certainly better then the sticky note approach,
or the password is their dog's name solution.

> This comes back to the initial problem: Security is a human issue. The
> more difficult/time consuming/annoying for the user, the better the
> chance that it will simply be circumvented.

Agreed, but I don't see the above solution near as difficult as forced
password changes or other solutions proposed. This, I see at least
workable. That is, they'll complain, but they'll get used to it.

>>> To be honest, though, I haven't seen a real dictionary attack in many
>>> years. Mostly, it's people knocking on port 22 looking for a
>>> passwordless account. (Or ones with the password "password" or "guest")
>> I'd say that's just a very small dictionary they're working from. :)
>>
>
> Vocabulary isn't their strong point. :)

--
Until later, Geoffrey

Any society that would give up a little liberty to gain a little
security will deserve neither and lose both. - Benjamin Franklin

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here