Re: Choosing secure passwords - Feedback solicited

From: chris@nospam.com
Date: 04/03/02

  • Next message: Andy Barkl: "Re: Learning security for windows 2000..." 

    From: chris@nospam.com
Date: Tue, 02 Apr 2002 18:34:53 -0800

    On 3 Apr 2002 00:55:19 GMT, Bernd Eckenfels
    <ecki-news2002-03@lina.inka.de> wrote:

    >Ross Oliver <reo@roscoe.airaffair.com> wrote:
    >> easy-to-remember passwords? Yes, self-selected passwords might be
    >> slightly more memorable than machine-generated ones, but the
    >> benefit is small compared to the tremendous amount of effort
    >> wasted by this mechanical task.
    >
    >I disagree. The security of the system is greatly lowered if ppl have to
    >write down the passwords and the passwords are more often forgotten.
    >
    >Personally I think a roll-out of authentication methods to unducated users
    >within a high risk environment is only achievable by a multi-factor
    >authentication. A small PIN and a chipcard for example.
    >
    >That way ppl have something they have to look after just like they are used
    >to, and they have a small extra secret they know, to avoid easy missuse of
    >the lost token.

    How about a smarter password change utility? Currently password
    strictness requirement seem to impeded the password selection process
    rather than aid the user in picking a good password.

    For example ask the user to enter a phrase. Whereupon the system
    generates a password using the first letter of each word, checks it
    for guessability , maybe adds a couple of digits to the end and tells
    the user what their password will be?

    Basically walk the user through a smarter selection process instead of
    chiding or preventing them from picking easy to guess passwords.