Re: Strong Passwords Revisited

From: Lyal Collins (lyalc@ozemail.com.au)
Date: 02/16/03


From: "Lyal Collins" <lyalc@ozemail.com.au>
Date: Sun, 16 Feb 2003 23:56:56 +1100


If you control logical and physical access to the repository of stored
passwords (in any form), AND implement failed attmept lockout, it's not
likely that any password over 6 characters can be guessed without raising
alerts, henerating audit records and prompting remedial action.

Why bother with the rest of this stuff?
Lyal

"Howie" <foxhr@excite.com> wrote in message
news:ow73a.52453$zF6.3503883@bgtnsc04-news.ops.worldnet.att.net...
> I tell my people the best passwords are acronyms of phrases that mean
> nothing to anyone else plus a number that has some personal meaning.
>
> For instance: My 4th grade teacher was memorable to me in that she
destroyed
> my ability to learn for years, so it's easy for me to remember "Mrs. Garin
> Ruined My Life" which gives me 'mgrml' and I follow it with the year it
took
> place, 1962, so my unforgettable, practically unbreakable password now is
> 'mgrml1962'.
>
> "Lawrence DčOliveiro" <ldo@geek-central.gen.new_zealand> wrote in message
> news:ldo-EC0554.23533914022003@news.wave.co.nz...
> > In article <kfjX9.27575$7_.109525@news1.mts.net>, "Jeff Williams"
> > <frostback1963@yahoo.com> wrote:
> >
> > >One problem with "strong" passwords is that they're very hard to
> remember.
> > >"zucchini" is easy to remember. "*&cFho4#" is, for most people I know,
> hard
> > >to remember. What are such people likely to do with hard passwords?
> > >They're going to write them down (and often post them on a yellow
sticky
> on
> > >their freakin' monitor). This is not very good from a security
> perspective.
> > >
> > >I've often wondered why passwords seem to be limited to 8 or 10
> characters.
> > >Why not limit them to, say, 32 or 64 characters and let people use
> phrases
> > >that they can easily remember? Many people have a vast repository of
> > >remembered pop songs. Others memorize scripture or poetry. Such
phrases
> do
> > >serious damage to the concept of dictionary attacks as well as to BFI
> > >attacks.
> >
> > Trouble is, even though there may be millions of potential lines of song
> > lyrics, poetry or whatever out there, people will tend to pick the most
> > memorable ones. That means that some lines and phrases will end up being
> > highly popular, while most of the rest are hardly used at all. What's
> > the bet that some large fraction of people will use "to be or not to
> > be", just for instance?
> >
> > I thought of a sort of compromise idea: choosing a single random word
> > from a dictionary is a bad idea, but what if you choose multiple random
> > words?
> >
> > Consider a modestly-sized dictionary of just 10,000 English words. If
> > you choose 3 words at random, you end up with 10^12 possibilities. This
> > is not far short of the possibilities with choosing 8 completely random
> > letters and digits (about 2.8 * 10^12 possibilities).
> >
> > Of course, the point is that the choices really must be random. "three
> > blind mice" would be a bad choice, while "invigorate gargantuan colour"
> > would be a much better choice--the less meaningful the phrase is, the
> > better. The question is, would it still be feasible for users to
> > remember such random phrases without writing them down, given that they
> > are just a short sequence of ordinary words?
>
>



Relevant Pages

  • Re: Expire or not expire?
    ... I don't force password changes, ... I prefer to force long pass phrases and let people select their own pass phrases. ... We also set the lockout policy so that an intruder could only brute force attempt about 100 passwords in an hour. ...
    (microsoft.public.security)
  • Re: Strong Passwords Revisited
    ... I tell my people the best passwords are acronyms of phrases that mean ... nothing to anyone else plus a number that has some personal meaning. ... > is not far short of the possibilities with choosing 8 completely random ...
    (comp.security.misc)
  • Re: Strong Passwords Revisited
    ... I tell my people the best passwords are acronyms of phrases that mean ... nothing to anyone else plus a number that has some personal meaning. ... > is not far short of the possibilities with choosing 8 completely random ...
    (alt.computer.security)
  • Re: Strong Passwords Revisited
    ... I tell my people the best passwords are acronyms of phrases that mean ... nothing to anyone else plus a number that has some personal meaning. ... > is not far short of the possibilities with choosing 8 completely random ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Strong Passwords Revisited
    ... I tell my people the best passwords are acronyms of phrases that mean ... nothing to anyone else plus a number that has some personal meaning. ... > is not far short of the possibilities with choosing 8 completely random ...
    (microsoft.public.win2000.security)