suse@rio.vg wrote:
John Andersen wrote:
On Monday 31 July 2006 16:42, suse@rio.vg wrote:
forcing people to keep changing passwords has one single effect: People will write them down. I was hoping someone would point that out.
One longer (unchanging) password (more than ten characters) is harder to guess than a monthly changing short one, which EVERY user changes via an easily discernable pattern.
Even one step better is the idea of "passphrases" rather than passwords. It's much easier for someone to remember a simple phrase than "k4M3.HhZ". If you have, for instance, someone enamored of a certain Chicago sports team, their passphrase could be "Da'Bears are Da'Bestest!" If someone has a poor memory for things, have them pick something that rhymes or a mnemonic.
I take this one step further. take a longer phrase and use the first character of each word. Throw in some type of punctuation. Do the typical substitutions and you can generate a relatively obscure password: There are 11 players on a football team and 9 on a baseball team. Ta11poafta9oabt.
To be honest, though, I haven't seen a real dictionary attack in many years. Mostly, it's people knocking on port 22 looking for a passwordless account. (Or ones with the password "password" or "guest")
I'd say that's just a very small dictionary they're working from. :) -- Until later, Geoffrey Any society that would give up a little liberty to gain a little security will deserve neither and lose both. - Benjamin Franklin