Passwords - 64 Characters, Changed Daily?

isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"

"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"

Normal users

[Skiron]

In my opinion as a Sysadmin, it doesn't matter what device[s] you bring in to try to 'secure' users and passwords.

They still write them down, still 'share' (if somebody hasn't got access to a file share the other has, but he/she wants them to look at something - (they don't even *think* about the option to copy it to a public share to do it!) - then they give out passwords.

Plus normal users forget them after a few days of work anyway - I reset usually around 5 passwords Monday mornings after people had two days off work - plus average 10 a week afterwards on a user base of 150.

makemeapassword.com

[mgkimsal2]

Not a perfect system, but is something which can help people come up with something more secure than 'password' while incorporating numbers and punctuation marks.

makemeapassword.com

Something you know, you have, and you are

[jncook]

To quote Bruce Perens, if security really matters, you should base it on three things:

* Something you know (password or PIN)
* Something you have (badge or bank card)
* Something you are (thumbprint, hand scan, voice check)

This is how CounterPane security locks up its own colo facility. (Of course, they also tape everybody coming in, and there's a live guard who knows your face.)

Each of these components can be relatively weak, but in combination they are quite strong. For instance, you could probably let people choose any password they wanted as long as you required, say, their badge and a thumbprint to log on.

For backwards compatibility, write a macro that generates random strings of characters the maximum length accepted by the legacy system to which you must log on. Encrypt the list of passwords, and use the method above to decrypt the password archive as needed.

James

Re:Just do what I do

[Pharmboy]

What I never got was this: If I have a password, and no one else ever knows it, AND I check my logs so I know if someone is trying to hack my account, what good does changing it anyway?

As soon as I see at attempt to hack it, I would change it. Until then, I have a great password that my wife doesn't even know about. If someone tries to hack it on Wednesday, it doesn't matter that I changed it on Monday, or last year: It will still take more time to crack than will pass before I check the logs.