Slashdot Mirror


Enforcing Crytographically Strong Passwords

Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"

4 of 429 comments (clear)

  1. "Force"? by chrysrobyn · · Score: 5, Interesting

    I'm just a *nix and Windows luser. After struggling with tens of passwords for years, keeping them (relatively) secure, difficult to guess, etc., my employer is starting to press hard on even more regulations and ended up changing my password cycles. I can't keep up any more. I've had to get passwords reset monthly for about 6 months so far because I get locked out due to bad password entries. I just had to ask for advice on keeping them straight.

    Per advice, I have begun to keep a plaintext file on my desktop computer with all my passwords in it and when they expire. My corporate IT guidelines are too secure for me, a legit user. So, I'll have to compromise security in order to comply with guidelines.

  2. Single Sign On by SnapShot · · Score: 4, Interesting

    Either use single sign on or an honest assessment of whether or not every f-ing application and web site in the intranet needs it's own f-ing password. Some things are just not so important that they need a password especially if they are already relatively safe within the corporate intranet.

    To use the example above, I'd be more than willing to think up and use a long, randomized password if it was the only one I had to remember to do my job and I only had to change it once every 90 days or so.

    --
    Waltz, nymph, for quick jigs vex Bud.
  3. My technique. by Heem · · Score: 4, Interesting

    I like to pick a pattern on the keyboard, and then use that, alternating shift. If you were to ask me what my password is, I really wouldnt know unless I'm sitting at the keyboard.

    Now, this is NOT my password, but it may have been at some point, but for example :LKPOI)(*890iopkl;

    As you can see, that password would be difficult to guess and crack, since it contains number, symbols, upper and lower case, 18 characters, and has no dictionary words in it.

    Try and type that password and you'll see how easy it is to remember.

    --
    Don't Tread on Me
  4. Profanity! by word_virus · · Score: 4, Interesting

    I always recommend users consider a password comprised largely of profanity. This has proven to have several benefits: 1. It's makes passwords "sticky" and easier to remember, so you can make them arbitrarily long. It's easy for your password to be 1Mg\/\/v when it stands for "lick my gibbering whale vulva." 2. Because these passwords are potentially embarassing, users are much less likely to write them down in any conspicuous place (like the sticky note on the monitor). 3. An additional benefit of the embarassment factor, users are less likely to give their password out to others, thus protecting against social engineering attacks.