On 04/16/2011 04:31 PM, Shane Hathaway wrote: > On 04/16/2011 03:49 PM, Andy Bradford wrote: >> Thus said Shane Hathaway on Sat, 16 Apr 2011 12:41:31 MDT: >> >>> I want to include this idea in the password meters I create for web >>> applications. I need a better password scoring algorithm. I don't want >>> to *require* any minimum password complexity (other than a minimum >>> password length), but I do want to help the user choose a good >>> password. >> Inform them of the risks of using a bad password and what kinds of >> information will be compromised due to a bad password, let them make >> their own risk assessment. Offer a button that says ``Generate a secure >> password for me,'' and then call apg -a 1 -M SLNC (or whatever options >> you think are good for your appliations), serve it up to them over SSL, >> and see if they take it. If this isn't enough to convince them to use a >> stronger password, then they have been warned. > Hmm, "apg -a 1 -M SLNC" produces: > > K`4i-&]r > <*Xe>o]4 > ,ru7V;RO}x > CFp<7xY[? > K,$q42lC<Y > C3@-*TD\k > > These are all insecure passwords because nearly everyone will write them > down. Maybe you're saying we should scare people into using better > passwords, but I suggest people don't react well to being frightened. > > I want to achieve better security by leveraging more human strengths. > In particular, I think we humans are very good at handling words, while > we are not as good at handling individual characters. We can't easily > treat our linguistic memory as digital. > > Shane > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ We had a big discussion on password security and SSO back when I was in college. We came to the same conclusion that the best passwords were also the riskiest to use for the greater risk of physically compromising the password.
One of my classmates favored an easy to remember keyboard combination like 5tgbBGT%. Not the best as far as randomness or patterns, but easy to remember. I came up with using the make or model of a familiar device, car, plane, chainsaw, whatever, and substituting a couple of the letters for symbols to increase the strength. 20GBIntelSSD -> 20GB!nt3l$$D Still fairly easy to remember and quite secure. --Henry /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */