suse@rio.vg wrote:
Geoffrey wrote:
I take this one step further. take a longer phrase and use the first character of each word. Throw in some type of punctuation. Do the typical substitutions and you can generate a relatively obscure password:
There are 11 players on a football team and 9 on a baseball team.
Ta11poafta9oabt.
It's clever and nifty but users hate it. You see, it means that every time they type in their password, they have to think about it, and will frequently make typing errors, increasing frustration as they run through it constantly wondering if they maybe missed a letter or mistyped, since they can't see what they're typing. For a tech, it's a good system, for the average user, they hate it.
Then they should get over it. Come on, it's not all that difficult. If you're going to have a long password, it's best to have a way to remember. My 15 year old daughter uses this approach and if she can do it, I'd suggest any adult should. Let's face it, there's not an easy way of forcing good passwords. Create a policy that works, even if it's a bit painful. That's certainly better then the sticky note approach, or the password is their dog's name solution.
This comes back to the initial problem: Security is a human issue. The more difficult/time consuming/annoying for the user, the better the chance that it will simply be circumvented.
Agreed, but I don't see the above solution near as difficult as forced password changes or other solutions proposed. This, I see at least workable. That is, they'll complain, but they'll get used to it.
To be honest, though, I haven't seen a real dictionary attack in many years. Mostly, it's people knocking on port 22 looking for a passwordless account. (Or ones with the password "password" or "guest") I'd say that's just a very small dictionary they're working from. :)
Vocabulary isn't their strong point. :)
-- Until later, Geoffrey Any society that would give up a little liberty to gain a little security will deserve neither and lose both. - Benjamin Franklin