[TriLUG] Securely and Accurately transmit passwords
Steve Kuekes
steve at kuekes.homeip.net
Tue Oct 2 09:45:06 EDT 2007
I've been using apg which is a package that has a command to generate
random passwords that are jibberish, but pronouncable. The man page
documents how to make is use different algorithms to generate passwords.
I just run it a few times to find a password that I like.
jonc at nc.rr.com wrote:
> I agree 100% with Chris. Having a password no one can guess *but* no one can remember is useless.
> Rule #1 when I generate a secure password is that it has to be simple to memorize.
> Rule #2 is that it has to be hard to guess.
>
> We generally use simple phrases with numbers or symbols mixed in for spaces and other characters. This has worked for over a decade. The only problem being, that I still remember most of the passwords generated over that decade!
>
> Jon (elephant head) Carnes
>
> BTW: given the choice of sending the PW in email or having the PW displayed on a card taped to the laptop, I would choose email :-)
>
>
> ---- Chris Knowles <chrisk at trilug.org> wrote:
>
>>This is a very good point.
>>
>>I *almost* wouldn't blame them if the passwords were of the form
>>"s2Adf3#5^@"
>>
>>However, as directed by on high, I'm not allowed to set the passwords
>>that evilly.
>>
>>Instead I use a diceware (http://www.diceware.com/) type scheme to
>>generate the passwords.
>>
>>Two words, with a symbol or space between them.
>>
>>Thus, a typical password is "solemn+stony" (Just rolled that one up)
>>
>>While a little longer than the 6 char we require, it's much easier to
>>remember than a completely random password, and has a good level of
>>entropy.
>>
>>Well, much better than the name of their dog with a single digit after
>>it.
>>
>>As an aside, diceware is a really nice way to generate longer
>>passphrases that you can actually remember.
>>
>>CJK
>>
>>On Tue, 2007-10-02 at 15:02 +1000, Jeremy Portzer wrote:
>>
>>>Chris Knowles wrote:
>>>
>>>
>>>>Recently we've started seeing that they've taken these cards, taped them
>>>>into their laptops in plain sight. (And occasionally annotated them
>>>>with much too much information as to what that password would buy you.)
>>>>
>>>>Since the passwords are complex, phone conversations tend to lead to a
>>>>lot of phonetic spelling and shouting.
>>>
>>>Maybe the problem is the passwords are TOO complex requiring all but the
>>>most anal sysadmin to refer to a written reference? Maybe you could
>>>consider simplifying them a bit so people can more easily remember them?
>>> E.g. something like "2 of the 3: digit, capital letter, or symbol."
>>>Something like "Must contain at least 2 of each: digit, capital
>>>letters, and symbols" is much harder to deal with.
>>>
>>>Also, do users pick their passwords or do you pick them arbitrarily?
>>>
>>>There are a lot of 'social' aspects to password complexity schemes that
>>>are interesting to study. I don't know the state-of-the-art here.
>>>
>>>--Jeremy
>
>
--
Steve Kuekes
Insight Racing - Urban Grand Challenge('07) - http://www.insightracing.org
Private Pilot: N9259R '95 Saratoga based at Sanford-Lee County Regional
(TTA)
email: skuekes at nc.rr.com
More information about the TriLUG
mailing list