[thelist] changing password design
Simon Willison
cs1spw at bath.ac.uk
Fri Sep 12 05:25:41 CDT 2003
Tony Crockford wrote:
> What is secure?
>
> The harder you make it for me to remember my login the more likely I am
> to write it down.
I agree. I frequently curse systems that require me to thnk up a
password that is "at least 7 characters long, including at least one
upper case character, one lower case character and one digit" because
they prevent me from using one of my standard 4 or 5 passwords that I
have already commited to memory. I end up forced to write the password
down because I haven't a chance of remembering it otherwise.
Bruce Schneier's advive on this page makes a lot of sense:
http://www.cskk.ezoshosting.com/cs/goodstuff/bs-spc.html
"You can't memorize good enough passwords any more, so don't bother.
Create long random passwords, and write them down. Store them in your
wallet, or in a program like Password Safe. Guard them as you would your
cash. Don't let Web browsers store passwords for you. Don't transmit
passwords (or PINs) in unencrypted e-mail and Web forms. Assume that all
PINs can be easily broken, and plan accordingly."
I've heard that he himself stores his passwords in his wallet. I would
suggest backing this up with the very rudimentary security-by-obscurity
technique of writing them down with a simple mnemonic for what account
they work with (such as "ba: w34kasdjfa" for your bank account
password). That should provide protection against a pick-pocket who
grabs your wallet from using your passwords (if they even realise that
the random strings on the back of a business card are passwords).
Cheers,
Simon
More information about the thelist
mailing list