Enforcing Crytographically Strong Passwords

Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"

GOD

[scsirob]

No-one will ever guess my super-secret password: GOD

Re:GOD

[0x461FAB0BD7D2]

What was that? I only see asterisks.

No-one will ever guess my super-secret password: ***

Do I need a password to view your super-secret password? Or do I run your comment by LC5?

Re:GOD

[FidelCatsro]

if you want to make it cryptographicaly strong you could change it to , j3H0vA

Re:GOD

But in the Latin alphabet, j3h0vA begins with an I...

Re:GOD

[Jack+Taylor]

Here's the original. It's a classic :D. Check out the top 100 too, if you haven't already.

Re:GOD

Terrific password. The atheist believes your password does not exist and would not waste time looking for it. And religious extremists will fight wars over the strength of your password.

Re:GOD

Maybe, maybe not.

Easier to remember random passwords

[markh1967]

We faced the same problem when generating random passwords for users and decided that the best method was to generate two short (4-6 characters) english words with a number at the end. This creates passwords such as swimeasy12, turnright62, sidedoor81, etc. These proved to be very easy to rememeber and we only had one complaint: A secretary had her random password set to fatgirl13 and was really not happy, even after we expained the random process.

Re:Easier to remember random passwords

Interesting.

On an unrelated note, where do you work?

Re:Easier to remember random passwords

but brute forcing all combinations of 2 4-6 letter english words plus 2 digits is rediciously easy...

Perhaps, but if he gets you to spell the words for him, the dictionary attack won't work.

password

[DarkHelmet]

from the nd3knsdkh238979103dsw dept

Stop posting my password on Slashdot, Zonk!

Not so hard...

[Infinityis]

I find that test/test works fine for my root login...

Spouse's name

[mmThe1]

I still say that using one's spouse's name as the password is best.

If you think it's a weak policy for your organization, then your employees aren't changing their spouses fast enough....

Re:Spouse's name

So my password should be "myrighthand"? :)

Re:Forget passwords.

[hey]

I'm getting a bit tied of Schneier. Its easy to be a critic and say everything is insecure. You always know what he's going to say. In fact I've noticed:

Schneier just don't work anymore. As computers have gotten faster, Schneier guessing has gotten easier. Ever-more-complicated Schneier are required to evade Schneier-guessing software. At the same time, there's an upper limit to how complex a Schneier users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have Schneier that can't be guessed. For anything that requires reasonable security, the era of Schneier is over.

Re:Passphrases

[Glonoinha]

that builds grammatical sentences by taking a valid syntax and plugging in random verbs, nouns and adjectives in the right places.

Or I could just send you the documentation we got back with the last project we outsourced to India.