John Andersen wrote:
On Monday 31 July 2006 16:42, suse@rio.vg wrote:
forcing people to keep changing passwords has one single effect: People will write them down.
I was hoping someone would point that out.
One longer (unchanging) password (more than ten characters) is harder to guess than a monthly changing short one, which EVERY user changes via an easily discernable pattern.
Even one step better is the idea of "passphrases" rather than passwords. It's much easier for someone to remember a simple phrase than "k4M3.HhZ". If you have, for instance, someone enamored of a certain Chicago sports team, their passphrase could be "Da'Bears are Da'Bestest!" If someone has a poor memory for things, have them pick something that rhymes or a mnemonic. To be honest, though, I haven't seen a real dictionary attack in many years. Mostly, it's people knocking on port 22 looking for a passwordless account. (Or ones with the password "password" or "guest")