Slashdot Mirror


Your Passwords Don't Suck — It's Your Policies

First time accepted submitter eGuy writes "ZDNet sparked a debate about password policies when John Fontana wrote about my open source (LGPL) password policy project that rewards XKCD-like passwords. Steve Watts of SecurEnvoy replies that it is too little, too late. What think ye? Is there hope for passwords?"

1 of 487 comments (clear)

  1. Re:This is too simple to fix by Drishmung · · Score: 5, Interesting
    We actually did something like this.

    Users were permitted to choose their own password. These passwords could be long. We had guidelines as to what were good schemes, but there was no enforcement of rules.

    However, we also

    1. ran a quick check on your password against a cracker and
    2. ran a password cracker as a constant background job.

    If your password was cracked by the quick checker, it was rejected and you had to choose another.

    If the background checker cracked your password, you were locked out. When you tried to log on and couldn't, and called to find out why, you were told your password had been cracked and you needed a new one. (Actually, I think we emailed you then locked you out, so if you were on-line, you could choose a new password then and there).

    It worked.

    --
    Protoplasm. Quiet Protoplasm. I like quiet protoplasm.