[TriLUG] Securely and Accurately transmit passwords

Tue Oct 2 10:32:28 EDT 2007

a pass phrase as opposed to a password may be easier to remember and satisfy the need for length and complexity.

for example, MyDogsIsRover would give you a mix of upper and lower case letters plus length. it would be a better password than simply rover.

Regards,

Jim

Jim Ray, President
Neuse River Networks
tel: 919-838-1672 cell: 919-606-1772
http://www.NeuseRiverNetworks.com

Connecting You to the World since 1997

Specializing in the design, sales, installation, and support of today's technology for small to mid-sized markets, we also focus on both commercial and industrial networks for PCs and phones. Now in our tenth year, the company began with deploying video, voice and data communications systems in the Triangle region, which we continue to do today. 

________________________________

From: trilug-bounces at trilug.org on behalf of jonc at nc.rr.com
Sent: Tue 10/2/2007 8:42 AM
To: Triangle Linux Users Group General Discussion
Cc: Chris Knowles
Subject: Re: [TriLUG] Securely and Accurately transmit passwords

I agree 100% with Chris. Having a password no one can guess *but*  no one can remember is useless.
Rule #1 when I generate a secure password is that it has to be simple to memorize.
Rule #2 is that it has to be hard to guess.

We generally use simple phrases with numbers or symbols mixed in for spaces and other characters. This has worked for over a decade. The only problem being, that I still remember most of the passwords generated over that decade!

Jon (elephant head) Carnes

BTW: given the choice of sending the PW in email or having the PW displayed on a card taped to the laptop, I would choose email :-)

---- Chris Knowles <chrisk at trilug.org> wrote:
> This is a very good point.
>
> I *almost* wouldn't blame them if the passwords were of the form
> "s2Adf3#5^@"
>
> However, as directed by on high, I'm not allowed to set the passwords
> that evilly.
>
> Instead I use a diceware (http://www.diceware.com/) type scheme to
> generate the passwords.
>
> Two words, with a symbol or space between them.
>
> Thus, a typical password is "solemn+stony" (Just rolled that one up)
>
> While a little longer than the 6 char we require, it's much easier to
> remember than a completely random password, and has a good level of
> entropy.
>
> Well, much better than the name of their dog with a single digit after
> it.
>
> As an aside, diceware is a really nice way to generate longer
> passphrases that you can actually remember.
>
> CJK
>
> On Tue, 2007-10-02 at 15:02 +1000, Jeremy Portzer wrote:
> > Chris Knowles wrote:
> >
> > > Recently we've started seeing that they've taken these cards, taped them
> > > into their laptops in plain sight.  (And occasionally annotated them
> > > with much too much information as to what that password would buy you.)
> > >
> > > Since the passwords are complex, phone conversations tend to lead to a
> > > lot of phonetic spelling and shouting. 
> >
> > Maybe the problem is the passwords are TOO complex requiring all but the
> > most anal sysadmin to refer to a written reference?  Maybe you could
> > consider simplifying them a bit so people can more easily remember them?
> >   E.g. something like "2 of the 3:  digit, capital letter, or symbol."
> > Something like "Must contain at least 2 of each:  digit, capital
> > letters, and symbols" is much harder to deal with.
> >
> > Also, do users pick their passwords or do you pick them arbitrarily?
> >
> > There are a lot of 'social' aspects to password complexity schemes that
> > are interesting to study.  I don't know the state-of-the-art here.
> >
> > --Jeremy

--
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/