1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Mark Rudholm wrote: |
5 |
> Benjamin Smee (strerror) wrote: |
6 |
> |
7 |
> I feel compelled to point out that 8-character passwords, |
8 |
> no matter their composition, aren't really that strong |
9 |
> anymore. Also, forcing users to use special characters |
10 |
> and change passwords frequently only guarantees that they |
11 |
> will write them down, often not in secure places. |
12 |
> |
13 |
> You might consider having users use longer passwords |
14 |
> (a passphrase). They're easier for a user to remember, |
15 |
> so they're less likely to write them down. They're also |
16 |
> far more resistant to brute force attacks and guessing. |
17 |
> Also consider that if you require two capital letters, |
18 |
> 2 numbers, and 2 special characters, you've just reduced |
19 |
> the number of possible 8-character passwords quite |
20 |
> significantly. |
21 |
|
22 |
In some case yes, but you have to take into acount that [a-zA-Z0-9] and |
23 |
special signs that is very big volume of possible combinations. In this |
24 |
case I think that it is much more secure than 12 [a-zA-Z] password which |
25 |
could be named passphrase. |
26 |
|
27 |
> It's usually very easy for a user to remember something |
28 |
> like 'My child flies kites.' but if you make them use |
29 |
> things like '^3!kX$1a' and force changes every couple |
30 |
> of months, they *will* write it on a post-it note and |
31 |
> stick it in their desk drawer or on their display. |
32 |
|
33 |
In this case I have to say that it is 100% right because users are very |
34 |
lazy, they don't want to think. Social effect is the biggest hole in |
35 |
every security. |
36 |
So I what you propose Mark? Setting only minimum lenght to 12 ? 15 signs |
37 |
and leave users to choose which signs they want to use to make their |
38 |
passphrase? |
39 |
|
40 |
> -Mark |
41 |
|
42 |
- -- |
43 |
Paweł Madej aka Nysander |
44 |
Member of QuanTeam | RLU #357047 |
45 |
http://wiki.quanteam.info | Gentoo Linux User |
46 |
http://forum-farmaceutyczne.org | GPG key: 5861680B |
47 |
| keyserver: http://pgp.mit.edu |
48 |
Kielce, Poland | UTF-8 Email Preferred |
49 |
|
50 |
Looking to buy: 6x 73 GB UW3/Ultra160 SCSI 80 pin (SCA) |
51 |
..::||::.. pair of PentiumIII Slot1 1GHz/ FSB 100 processors |
52 |
..::||::.. 2x 256 MB SDRAM ECC Registered |
53 |
Got any of this mail me, with prize and shipping costs. |
54 |
-----BEGIN PGP SIGNATURE----- |
55 |
Version: GnuPG v1.4.2 (GNU/Linux) |
56 |
|
57 |
iD8DBQFDzUYngvSMglhhaAsRAnyPAKCEXQnSKxXmJ8yEYUeRakL96YbgjQCgkXkT |
58 |
9G/LmnG19hEiCyEsep6HzIw= |
59 |
=nLDz |
60 |
-----END PGP SIGNATURE----- |
61 |
-- |
62 |
gentoo-server@g.o mailing list |