On Saturday, April 16, 2011 8:40:27 AM AJ ONeal wrote: > This is near and dear to my heart so I had to evangelize: > http://www.baekdal.com/tips/password-security-usability > > I disagree only slightly in that > > * lookup tables for any password less than 12 characters are readily > available * devices can be tried several hundred times a second > > The counter argument: > > * If the attacker has physical access to the device or database in the > first place, all bets are off > > And, of course, the best password is the one that you can stick on the > sticky note and no one will be any the wiser: > > "Call John at 6:30" > "Meeting on Tuesday" > "mail dropoff before 5"
This approach has problems too. First, many systems don't like spaces or other special characters in their passwords. Websites are notorious for this. Also, some systems have limits on how long a password can be. Another problem is being able to type your password correctly every time. The longer the password, the more likely you are to make a mistake. If you make a mistake, you have to retype the password, which, if set to a long phrase, will take a long time. If you still can't get it right, you may lock yourself out. The article also doesn't mention how long it would take to do a dictionary lookup on a password that uses dictionary words. So even though it may take a long time with a brute force attack, it may not take very long with a dictionary attack with word combinations. This sounds like a good research opportunity. :-D -- Alberto Treviño BYU Testing Center Brigham Young University [email protected] -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
