Geeks With Blogs

@andy_johns
  • andy_johns @wilw I used to rock Snake on my Nokia 5160. I could get that sucker soooooooooo long! Those were the days.... about 468 days ago
  • andy_johns @wilw when that happens I always picture Foghorn Leghorn saying "it's a joke son! I made a funny! Boy kids these days...." about 471 days ago
  • andy_johns RT @fakedansavage: So in TX if I pay a plumber to fix my toilet, he takes my money, but the toilet is still clogged, I can shoot him? about 472 days ago

Andy Johns' Blog Andy's twisted brain....

My virtual co-worker Jason Bock pointed me to this Robert Hensing blog about pass-phrases.....

I first learned of the pass-phrase concept a year or two ago, and all I can say is YES! Network admins, change your security requirements, dump those “max” values from your passwords (some networks I've been on limit you to only 8 or 10 characters.... what's the point!) and I'd dump those obsure caps, numeric, and punctuation requirements too if the password is longer than 20 or 25 characters.....

As I've often mentioned, I'm a consultant and I see a lot of crap out in the wild. By far the most annoying crap I see is around passwords. The more paranoid the network admins (or security council, or board, or whoever sets the rules,) the more obsure the passwords must be, and the more often the need to be changed. What these people fail to realize is the average human worker just wants to do their job, and can't remember Syz8#K3! as a password. So what do they do.... Out comes the post-it-note on the desk, or in the drawer, or under the keyboard, or the file on the desktop called “passwords.txt“. Some workers try and be smart by leaving out a letter, or writing it backwards.... but still, if your password is so hard to remember that you have to write it down, then you have no security at all, and a signifigant portion of your support staff/costs must be spent dealing with resetting passwords.

A pass-phrase of “this is my password and it's for my eyes only” is far easier to remember than Syz8#K3! and also far more secure, and nearly takes the same amount of time to type. Need more security, throw in a few caps, or numbers: “My address is 1234 Main street” or “Jenny's number is 867-5309”. Yes, I'm breaking rules about not including personal information in a password, but remember, 1) these are examples, and 2) a pass-phrase is different. A password of “Chris“ because your son's name is Chris is a bad password, but a password of: “My oldest son's name is Chris and he is 10 years old“ is a good password.....

Pass-phrases, it's a good thing....

-Andy

Posted on Wednesday, July 28, 2004 11:29 AM | Back to top


Comments on this post: Pass phrases

# Passwords vs. Pass Phrases
Requesting Gravatar...
Microsoft security guru Robert Hensing hit a home run his first time at bat with his very first blog post. In it, he advocates that passwords, as we traditionally think of them, should not be used: So here's the...
Left by Coding Horror on Jul 18, 2005 1:35 AM

Your comment:
 (will show your gravatar)
 


Copyright © Andy Johns | Powered by: GeeksWithBlogs.net | Join free