Re: Creating a Password

From: The Other Guy (nospam@this.addy)
Date: 02/07/03


From: The Other Guy <nospam@this.addy>
Date: Fri, 07 Feb 2003 15:45:08 GMT

On Fri, 07 Feb 2003 13:11:20 GMT, while waiting for Somebody Else to
show up and say something, The Other Guy responded to a post from "Don
Kelloway" <dkelloway@commodon.com> who wrote in alt.computer.security:

>It is my opinion that an even better reply to choosing a password less apt
>to be cracked, would be to select two from each of the following four
>categories and mix them any way you want.
>
>capital letters, numbers, lowercase letters, symbols
>
>Example(s): Qi8&W3n! or Vd#9iR%n
>
>Such passwords can only be cracked by means of brute force.

Well put, Don. I'd add a couple of things.

1) Brute forcing these kinds of passwords can take eons to crack, thus
not worth the effort (the cracker would just move on to other
accounts).

2) However, they can be discovered through any form of social
engineering (writing it down on the sticky note and leaving it for any
one to see; giving it to someone who you think is trusted -- the old
call from the "administrator" needing to update and test accounts,
etc.).

3) passwords should also be a minimum of eight characters, and likely
can't exceed 15 depending on the O/S and it's restrictions. Don's
example illustrated the min 8 characters process, but I just wanted to
clearly state that.

Furthermore, users tend to shy away from these types of passwords
because of the difficulty of remembering them (hence it is easier to
use your kid's name, or favourite TV character).

Finally, there should be some sort of enforcement of password change
policy, say every six months, to make it truly effective (i.e., again
using SE, I could get the first four characters at one point, and then
the other four later on).

Cheers,
TOG

-- 
./configure --prefix=~/zyterion
Not this guy or that guy, The Other Guy.
This spot may contain a satirical comment or comedic source,
and is meant to be funny. If you are easily offended, gullible
or don't have a sense of humour we suggest you read elsewhere.