Slashdot Mirror

← Back to Stories (view on slashdot.org)

Enforcing Crytographically Strong Passwords

Posted by Zonk on from the nd3knsdkh238979103dsw dept.

Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"

2 of 429 comments (clear)

  1. Re:"Force"? by Inda · · Score: 0, Troll

    I keep my passwords in a plainext file at home. I encrypt the plaintext file with a long passphrase afterwards. I've always thought that was a reasonable solution for keeping lots of passwords safe.

    --
    This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
  2. Re:"Force"? by jc42 · · Score: 0, Troll

    I answered that. It's so that I can get at it from anywhere. ;-)

    Of course, you could too, if you could guess the URL. But actually, that's gonna be a lot more difficult than guessing most of my passwords. Unlike passwords, that often have a size limit, a URL can be rather long (even discounting all the fixed boilerplate).

    Also, I have accounts on a number of machines that are on the Net and have web servers. Some are guest accounts. I can put maybe two copies of my file on two of them and move it around occasionally. Maybe changing its name. The file is always "hidden" in the various ways that a web server lets you do this.

    I'd contend that this is in fact more secure than, say, a Password Safe in a Palm device in my pocket. That can be stolen and brute-forced to give up the file. My online file is a lot less accessible. And I'm not carrying any physical clues that it even exists.

    Of course, the fundamental problem is the idiots running security systems, that force me to have around 100 passwords, mostly different. If they wouldn't do this to me, I could use memorable passwords that aren't dictionary-hackable, and I wouldn't need to store them anywhere.

    It would also be much better if all those sites would let me change my password. For more than half of them, I couldn't tell you how to do this. Discovering the method is generally so difficult and time consuming that, like everyone else, I don't bother. It's one more idiocy forced on me by the security "experts".

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.