Geeks With Blogs
Andy Johns' Blog Andy's twisted brain....

My virtual co-worker Jason Bock pointed me to this Robert Hensing blog about pass-phrases.....

I first learned of the pass-phrase concept a year or two ago, and all I can say is YES! Network admins, change your security requirements, dump those “max” values from your passwords (some networks I've been on limit you to only 8 or 10 characters.... what's the point!) and I'd dump those obsure caps, numeric, and punctuation requirements too if the password is longer than 20 or 25 characters.....

As I've often mentioned, I'm a consultant and I see a lot of crap out in the wild. By far the most annoying crap I see is around passwords. The more paranoid the network admins (or security council, or board, or whoever sets the rules,) the more obsure the passwords must be, and the more often the need to be changed. What these people fail to realize is the average human worker just wants to do their job, and can't remember Syz8#K3! as a password. So what do they do.... Out comes the post-it-note on the desk, or in the drawer, or under the keyboard, or the file on the desktop called “passwords.txt“. Some workers try and be smart by leaving out a letter, or writing it backwards.... but still, if your password is so hard to remember that you have to write it down, then you have no security at all, and a signifigant portion of your support staff/costs must be spent dealing with resetting passwords.

A pass-phrase of “this is my password and it's for my eyes only” is far easier to remember than Syz8#K3! and also far more secure, and nearly takes the same amount of time to type. Need more security, throw in a few caps, or numbers: “My address is 1234 Main street” or “Jenny's number is 867-5309”. Yes, I'm breaking rules about not including personal information in a password, but remember, 1) these are examples, and 2) a pass-phrase is different. A password of “Chris“ because your son's name is Chris is a bad password, but a password of: “My oldest son's name is Chris and he is 10 years old“ is a good password.....

Pass-phrases, it's a good thing....

-Andy

Posted on Wednesday, July 28, 2004 11:29 AM | Back to top


Comments on this post: Pass phrases

# Passwords vs. Pass Phrases
Requesting Gravatar...
Microsoft security guru Robert Hensing hit a home run his first time at bat with his very first blog post. In it, he advocates that passwords, as we traditionally think of them, should not be used: So here's the...
Left by Coding Horror on Jul 18, 2005 1:35 AM

# re: Pass phrases
Requesting Gravatar...
Interesting. I have thought about this as well. Glad to know that there are others who think like me when it comes to their online security.
- Johnny at Limos On The Strip
Left by Johnny on Mar 13, 2017 3:02 PM

# re: Pass phrases
Requesting Gravatar...
So this is my first ever blog entry and seeing as how I'm a senior member of the PSS Security Incident Response team, you may think I've stopped taking my medication by opening with a title like the one above! Medication issues notwithstanding, it's true - you should NOT be using passwords of any kind. Why? For starters, passwords are ridiculously easy to guess or crack. Worms like Agobot / Phatbot / Polybot / SDBot / RBot (no I didn't write this one) all ship with dictionaries of passwords numbering in the hundreds and they can easily replicate to a system that has a password in this word list, and the miscreants are really good at keeping these wordlists up to date with passwords that they've cracked from other systems.
As an example of what I'm talking about check out Symantec's write-up of this little nasty that we encounter on my team just about every day:

- David at <a href="https://www.abogadosdeaccidentesflorida.com”>Abogados de accidentes
Left by David Shanks on Nov 18, 2017 12:49 AM

Your comment:
 (will show your gravatar)


Copyright © Andy Johns | Powered by: GeeksWithBlogs.net