On 2012-07-25 Mark Blackman wrote: > On 25 Jul 2012, at 10:09, Ansgar Wiechers wrote: >> Please re-read what I wrote, particularly the second half of it. Is >> "Joseph Zebediah Average 4/1/1999" really a strong password? > > It is a strong password, unless you believe attackers would regard > that format as a promising format to exploit. I think that's unlikely > to be a promising format to exploit at the moment.
I would regard any combination of personal name and birth date as a pretty darn promising format to exploit at any time. >> If not: how do you prevent users/customers from using a password like >> that? > > Well, if you really believe that format is likely, you test for it. How would you test for likely combinations of users' (or customers') personal information? And how do you account for the reduction in key space these checks would introduce? >> And how do you prevent a customer's system from being compromised >> with, say, a keylogger? > > Keyloggers are a completely separate question from passwords and > operate on a different level. I beg to differ. Keyloggers are a rather prominent means for obtaining passwords. >>> Obviously there's more to it than that, but I didn't think there was >>> much disagreement about the ideal form of a memorable and strong >>> password. It's a given that your attacker will have an idea what >>> form of password to test for, if not the actual password. >> >> Indeed there isn't much disagreement on what forms a strong password >> (in principle). I do fail to see how this could be enforced on a >> technical level, though. > > You can readily enforce minimum length of say 12-16 characters which > is a great place to start and of course that says nothing about > keyloggers or other infiltrations. Length is just that: a good start. It's nothing more. Particularly it's not a silver bullet. I can easily name you passwords or phrases of 20 characters length, which would require very, VERY little effort to break. "aaaaaaaaaaaaaaaaaaaa" being the simplest of examples. > If you're assuming that keyloggers are omnipresent, then you've > already given up on security. No. That doesn't change anything about keyloggers being an apparent threat, though. Omnipresence is not required. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
