On Mon, Mar 3, 2014 at 3:38 PM, Steven D'Aprano <st...@pearwood.info> wrote: > Oh really? Chances are you're wallet is *full* of pieces of paper that > people would steal, given half the chance.
Alas no... around here, wallets get filled with pieces of plastic [1], of which my wallet is sadly devoid. And I can't imagine anyone putting effort into stealing my Gilbert & Sullivan Society membership card, nor my coupon card for a half-price watch battery replacement on condition that I take it back to some place that I don't go anywhere near any more... But don't let that detract from your point :D >> and b) if it does go missing, the IT guy is just one phone call >> away, > > Last time I had to call my bank to unlock my account, it took two phone > calls and nearly three hours of elapsed time. And I was lucky I didn't > have to physically go in to a branch and show photo ID. That's about par for the course. Worst part of it is when you lose your connection and have to (a) go right back to the end of the caller queue, (b) get through to a different agent, and therefore (c) have to start over with the whole identifying-yourself thing. I wish I could invoke tmux or GNU Screen on arrival,and then just reconnect. This is, perhaps, the best argument in favour of password security. The thought that someone might steal your identity is so vague and hard to comprehend that it won't scare people; the possibility of someone stealing money is "Oh but my bank will keep me safe" (whether or not that's true is quite tangential); but explain that forgetting your password (or having someone else figure out your password) means having to call support? *That* is an incentive. > Having learned that, they're screwed: even in the (uncommon) case that > their account will support a cryptographically strong passphrase, most > people need a dozen or more different passwords and/or passphrases. (I > have about 50, only a dozen of which I keep in my head.) Who is going to > remember a 12 character high-entropy string for an account they only use > once a year? Most people have trouble remembering four-digit PINs if they > don't use them regularly. What if you create XKCD 936 passwords, and then have one "master password file" in which you store, for each password, four words that are synonyms for the originals, plus the first letters of them? (Obviously your master password file (a) never leaves your own computer, and (b) should itself be encrypted with some secure password, and treated with extreme sensitivity. But that gets around the "once a year" problem, as you'll refer to this one file any time you need to check any of your rare passwords.) As a second line of defense before contacting support, it feels plausible, but I've never actually had an opportunity to try it. Of course, the whole concept depends on being able to use long memorable passwords. Any system that sets a maximum password length of anything less than about 30-40 characters is causing its users problems. There's almost never any reason to set a maximum at all. ChrisA [1] http://en.wikipedia.org/wiki/Polymer_banknote -- https://mail.python.org/mailman/listinfo/python-list
