Slashdot Mirror

← Back to Stories (view on slashdot.org)

Enforcing Crytographically Strong Passwords

Posted by Zonk on from the nd3knsdkh238979103dsw dept.

Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"

5 of 429 comments (clear)

  1. Easier to remember random passwords by markh1967 · · Score: 5, Funny

    We faced the same problem when generating random passwords for users and decided that the best method was to generate two short (4-6 characters) english words with a number at the end. This creates passwords such as swimeasy12, turnright62, sidedoor81, etc. These proved to be very easy to rememeber and we only had one complaint: A secretary had her random password set to fatgirl13 and was really not happy, even after we expained the random process.

    --
    Input error. Replace user and press any key to continue.
    1. Re:Easier to remember random passwords by Anonymous Coward · · Score: 5, Funny

      but brute forcing all combinations of 2 4-6 letter english words plus 2 digits is rediciously easy...

      Perhaps, but if he gets you to spell the words for him, the dictionary attack won't work.
  2. "Force"? by chrysrobyn · · Score: 5, Interesting

    I'm just a *nix and Windows luser. After struggling with tens of passwords for years, keeping them (relatively) secure, difficult to guess, etc., my employer is starting to press hard on even more regulations and ended up changing my password cycles. I can't keep up any more. I've had to get passwords reset monthly for about 6 months so far because I get locked out due to bad password entries. I just had to ask for advice on keeping them straight.

    Per advice, I have begun to keep a plaintext file on my desktop computer with all my passwords in it and when they expire. My corporate IT guidelines are too secure for me, a legit user. So, I'll have to compromise security in order to comply with guidelines.

  3. Re:GOD by Jack+Taylor · · Score: 5, Funny

    Here's the original. It's a classic :D. Check out the top 100 too, if you haven't already.

    --
    One good turn - gets all the covers.
  4. Re:GOD by Anonymous Coward · · Score: 5, Funny

    Terrific password. The atheist believes your password does not exist and would not waste time looking for it. And religious extremists will fight wars over the strength of your password.