On 25 Jul 2012, at 08:20, Ansgar Wiechers wrote: > On 2012-07-25 mouss wrote: >> Le 24/07/2012 08:37, Stan Hoeppner a écrit : >>> You'd think humans beings would be smart enough to follow directions >>> and use strong passwords, AV software, etc, and not fall for phishing >>> scams. Your adversary in this war isn't the spammers, it's not the >>> technology, but your users. >> >> oh come on! the "users" excuse is wa too old. if your software accepts >> weak passwords, then the problem is with the software, not the user. > > I'd have to disagree on this one. How do you measure strength or > weakness of a password? > > Length? Is "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" strong? > > Complexity? Is "Passw0rd" strong? > > A combination of the above? Is "JosephAverage4/1/1999" strong? > > Frequent password changes? Is "simplepassword##" strong? (## being a > sequential number) > > How do you effectively protect your infrastructure against users or > (worse) customers writing their passwords on PostIts and leaving them > around? How do you effectively protect your infrastructure against > customers getting their own systems compromised? > > If you happen to have a solution for this problem, I'm honestly > interested in learning about it, because I don't see any.
Isn't the conventional wisdom that a long password consisting of 3 or 4 common but longer words is sufficient and memorable, along the lines of the famous XKCD panel? Obviously there's more to it than that, but I didn't think there was much disagreement about the ideal form of a memorable and strong password. It's a given that your attacker will have an idea what form of password to test for, if not the actual password. Mark