Re: Creating a Password

From: The Other Guy (nospam@this.addy)
Date: 02/07/03


From: The Other Guy <nospam@this.addy>
Date: Fri, 07 Feb 2003 15:45:08 GMT

On Fri, 07 Feb 2003 13:11:20 GMT, while waiting for Somebody Else to
show up and say something, The Other Guy responded to a post from "Don
Kelloway" <dkelloway@commodon.com> who wrote in alt.computer.security:

>It is my opinion that an even better reply to choosing a password less apt
>to be cracked, would be to select two from each of the following four
>categories and mix them any way you want.
>
>capital letters, numbers, lowercase letters, symbols
>
>Example(s): Qi8&W3n! or Vd#9iR%n
>
>Such passwords can only be cracked by means of brute force.

Well put, Don. I'd add a couple of things.

1) Brute forcing these kinds of passwords can take eons to crack, thus
not worth the effort (the cracker would just move on to other
accounts).

2) However, they can be discovered through any form of social
engineering (writing it down on the sticky note and leaving it for any
one to see; giving it to someone who you think is trusted -- the old
call from the "administrator" needing to update and test accounts,
etc.).

3) passwords should also be a minimum of eight characters, and likely
can't exceed 15 depending on the O/S and it's restrictions. Don's
example illustrated the min 8 characters process, but I just wanted to
clearly state that.

Furthermore, users tend to shy away from these types of passwords
because of the difficulty of remembering them (hence it is easier to
use your kid's name, or favourite TV character).

Finally, there should be some sort of enforcement of password change
policy, say every six months, to make it truly effective (i.e., again
using SE, I could get the first four characters at one point, and then
the other four later on).

Cheers,
TOG

-- 
./configure --prefix=~/zyterion
Not this guy or that guy, The Other Guy.
This spot may contain a satirical comment or comedic source,
and is meant to be funny. If you are easily offended, gullible
or don't have a sense of humour we suggest you read elsewhere.


Relevant Pages

  • Re: US Military bans HTML in emails
    ... Complex passwords are not that much harder to ... Consider a password with a choice of X different characters for each ... takes using all upper- and lowercase letters, ... I can see only two advantages of complex passwords: ...
    (comp.os.vms)
  • RE: Basic question
    ... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
    (Focus-Microsoft)
  • Re: Paper & pencil password algorithm
    ... generator and generate a password as a permutation of a whole ... The advantage of a random sequence generator is that I can make my ... I can't imagine ever wanting passwords ... convenience I'll probably keep most of them between 20 and 50 characters ...
    (sci.crypt)
  • RE: Password statistics and standards
    ... If you shut off the storage of LM hashes, over 9 Characters will buy you ... Take a look at Perfect Passwords for some creative ideas: ... information about accounts which is helpful in telling me ... Norwich University ...
    (Security-Basics)
  • Re: US Military bans HTML in emails
    ... You mean like requiring 6-character passwords to now be "complex"? ... the need for non-alpha characters. ... I've seen passwords with zeros for O's and 3's for E's. ... What hacker ever think of that? ...
    (comp.os.vms)