On Sun, Apr 17, 2011 at 7:47 PM, Robert LeBlanc <[email protected]> wrote: > I hate passwords/passphrases. Actually, I hate programmers who are idiots > that program password/phrase requirements. I really hate when I can't use my > strong password on banking website (where you should have a strong password) > because they don't like punctuation marks
I can't agree more. > Until then I still use random passwords with a mix of everything > (some punctuation characters make cracking much more difficult and usually > can only be cracked with expensive rainbow tables). Yep. And even then, a password of reasonable length (> 10) with many different character classes makes even rainbow tables almost useless. At some point you hit a solution space that's just too big. Throw in less common symbols like < and ~ and it's even better. Symbols not usually found on a keyboard, say §, make it effectively impossible. > The longer the password, > the better (except for Windows LANMAN which anything more than 7 characters > is useless) If you're still running a Windows NT 3.5 domain, an insecure hash is probably the least of your security concerns :) > I really wish more web developers would take advantage of something like > OpenID (although the username is a pain). My biggest beef with SSO systems like OpenID is that it becomes a pain to create "throwaway" accounts. Many websites require some form of account, but I don't necessarily want to use my full real name or even my normal email address. I just don't trust them enough (of course, look at the Epsilon fiasco and decide how much trust you should give *anyone* -- including your bank). I saw an interesting project in the CS hallway on the 3rd floor. They're suggesting an authentication mechanism which uses email to authenticate you. Basically, you tell a website what your email address is and they send you an authentication token email. When you click the link it authenticates your session. The premise is that you make use of your email account access as your credentials. Going to your inbox to click a link every time you want to log in is obviously a pain, and this group has been working on making browser extensions which will automate that process (watch for auth emails and auto-visit the links). Some info: https://cs.byu.edu/internet_security_research and http://isrl.cs.byu.edu/pubs/pp1001.pdf It's a pretty neat idea. Nick -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
