Agreed. Just pointing out that in an office with doors and walls and other various physical security measures, sticky note passwords aren't *necessarily* as horrible an idea as we like to joke about.
Sent from my Windows Phone ________________________________ From: Andrew S. Baker Sent: 3/15/2012 5:26 PM To: NT System Admin Issues Subject: Re: Worth some consideration... I'd rather not accept a false dilemma. There is no reason to have either of the options presented, as both are bad. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Thu, Mar 15, 2012 at 2:49 PM, Crawford, Scott <crawfo...@evangel.edu<mailto:crawfo...@evangel.edu>> wrote: I'd rather have "good" passwords written down on a sticky note accessible only to a limited number of coworkers than "bad" passwords that can be exploited by any black-hat on the internet. Sent from my Windows Phone ________________________________ From: Heaton, Joseph@DFG Sent: 3/15/2012 11:07 AM To: NT System Admin Issues Subject: RE: Worth some consideration... Wait… I’m NOT supposed to write my password on a sticky note? How am I supposed to let my coworker use my login, then? Joe Heaton ITB – Windows Server Support From: Andrew S. Baker [mailto:asbz...@gmail.com<mailto:asbz...@gmail.com>] Sent: Thursday, March 15, 2012 7:49 AM To: Heaton, Joseph@DFG; NT System Admin Issues Subject: Re: Worth some consideration... That's an implementation problem. If I choose a passphrase of "Mary had a little lamb" then of course that will be relatively weak as passphrases go. That that is not an inherent weakness of passphrases, but of people. Lots of things are undermined by poor choices. Completely random 20 character passwords with a unicode character set are undermined by having them posted on sticky notes. We didn't need a whole article to point that out. ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>> wrote: http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars By Dan Goodin Ars Technica March 14, 2012 Passwords that contain multiple words aren't as resistant as some researchers expected to certain types of cracking attacks, mainly because users frequently pick phrases that occur regularly in everyday speech, a recently published paper concludes. Security managers have long regarded passphrases as an easy-to-remember way to pack dozens of characters into the string that must be entered to access online accounts or to unlock private encryption keys. The more characters, the thinking goes, the harder it is for attackers to guess or otherwise crack the code, since there are orders of magnitude more possible combinations. But a pair of computer scientists from Cambridge University has found that a significant percentage of passphrases used in a real-world scenario were easy to guess. Using a dictionary containing 20,656 phrases of movie titles, sports team names, and other proper nouns, they were able to find about 8,000 passphrases chosen by users of Amazon's now-defunct PayPhrase system. That's an estimated 1.13 percent of the available accounts. The promise of passphrases' increased entropy, it seems, was undone by many users' tendency to pick phrases that are staples of the everyday lexicon. "Our results suggest that users aren't able to choose phrases made of completely random words, but are influenced by the probability of a phrase occurring in natural language," researchers Joseph Bonneau and Ekaterina Shutova wrote in the paper (PDF), which is titled "Linguistic properties of multi-word passphrases." "Examining the surprisingly weak distribution of phrases in natural language, we can conclude that even 4-word phrases probably provide less than 30 bits of security which is insufficient against offline attack," the paper says. [...] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
