[clue] My password rant

[chris fedde]

We Linux enthusiasts are a minority when it comes to password
selection.  We often take care about the password we pick.  Most
people don't.  The main problem with the current username/password use
case is social, not technical.  Most people are not Linux enthusiasts.
 Most people don't care about their passwords. They share them, they
pick bad ones, they reuse them,  and they forget them.   And it is
impossible to train the average person to use reasonable password.  or
to come up with a way of using a different password on each platform.

The social problems with passwords are not going away.  A different
authentication scheme needs to be adopted.  SecureID, thumb print
scanners and other dongles are one approach that has not proven
effective yet.  Others involve sms confirmation loops or other back
channel verification schemes.

I'm convinced of one thing though.  Good universal password management
i s a pipe dream.

chris



On Thu, Aug 11, 2011 at 1:26 PM, Dan Kulinski <daniel at kulinski.net> wrote:
> Alright, let's go down the rabbit hole a little deeper and hopefully give
> you things to think about.
>
> The word chosen as the basis for the complex password was something
> uncommon.  This is to deter easy brute force attempts and may have had some
> meaning to the user.  After that has been established a common letter-number
> substitution is used.  Finally at the end of the password is a common set of
> punctuation and a number.  There is a formulated pattern to this password.
> Now cracking it becomes that much easier.  We look for uncommon words in the
> speakers native language with at least 6 characters.  We run it through a
> simple substitution algorithm and append a set of punctuation and numerals
> to the end.
>
> Entropy in cryptography is the amount of information that is unknown and
> must be guessed.  Most corporate password standards are the following:
>
> At least 8 characters with at least one selection from each of the following
> categories:
> -Capital letter
> -Numeral
> -Special character
>
> It can't contain the following:
> -Username
> -company name
> -Can't use a dictionary word
>
> Generally what you find are things like Psswrd123 or Asdf1234, simple things
> to get through the filter.  So, are we really increasing security?  The
> tighter the rules the more formulaic things tend to become.  When a password
> expiration is done you will see the first example move to something like
> Psswd124 and that last number incrementing until they can reuse old
> passwords.
>
> The comic is very interesting and thought provoking.  Hopefully it does make
> you think about your passwords and how you use them.  Not every system I use
> allows spaces so I stick to a few patterns based off of books I have read.
> Usually a memorable quote and never the book title.  And of course, this
> doesn't even start to talk about password reuse on multiple sites.
>
> Thanks for the discussion and dissecting this comic so thoroughly.
>
> Dan
>
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
>