The 20 most popular passwords

Mon Jan 25 23:28:55 UTC 2010

On Mon, Jan 25, 2010 at 3:53 PM, D. Hugh Redelmeier <hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org> wrote:
> Most humans cannot remmeber a large collection of distict strong
> passwords.  Expecting them to do so is just stupid.  Mocking them for
> failing is rude: the fault is in the system designers.

Indeed.

On the one hand, I'd commend the idea of using a password manager like
PasswordSafe, KeePass, or such, to generate and manage the hordes of
dumb little web application passwords that you get.

If you're just copying-and-drooling the password into place, it really
isn't important for it to be memorable.  And it's notably Good
Practice to use a different password for each distinct eCommerce site
- that way if someone steals their plaintext database of usernames and
passwords, the Evil Hackers won't be able to use your Buy.com password
to set up purchases elsewhere, or to get into your bank account.

But, on the other hand, you do need to have a reasonably secure
password on your "Password Safe," and it's not an improvement to
security if you force people to remember a password that that, if it
is required to be so long/weirdly-policied that challenges their
cognitive abilities (and this IS NOT a statement that they're dumb!),
and they can't remember it.  And therefore write it on the infamous
PostIt! note :-(.

There are entertaining answers out there, here and there; I have heard
tell of "seriously secure" military sites where they have entertaining
physical tokens:

A reasonably tamper-resistant token, way too large to fit into a
pocket, generally chained to the desk, having a Very Long Password
written on it.

- Intentionally, the password's too long for anyone that they hire to
remember (e.g. - 256 chars long, or such).
- They can't carry it out - armed guards prevent that, and the large
size of the token makes it impractical to hide.
-  No pencils or pens allowed, so they can't write it down.

This sort of approach would quite likely be useful for a Certificate
Authority wanting to claim "Serious Security."  But it is, of course,
useless to the usual home user.

I'm not sure what to systematically recommend, aside from some bits of
wisdom that don't necessarily scale :-(.
-- 
http://linuxfinances.info/info/linuxdistributions.html
Jonathan Swift  - "May you live every day of your life." -
http://www.brainyquote.com/quotes/authors/j/jonathan_swift.html
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists