The 20 most popular passwords
Duncan MacGregor
dbmacg-HLeSyJ3qPdM at public.gmane.org
Tue Jan 26 03:39:00 UTC 2010
While we are all dumping on our end-users, it is worth remembering that this whole thing came about because
some IT bozos were keeping user passwords in PLAIN TEXT.
How stupid is that?
Duncan
On January 25, 2010 06:28:55 pm you wrote:
> On Mon, Jan 25, 2010 at 3:53 PM, D. Hugh Redelmeier <hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org> wrote:
> > Most humans cannot remmeber a large collection of distict strong
> > passwords. Expecting them to do so is just stupid. Mocking them for
> > failing is rude: the fault is in the system designers.
>
> Indeed.
>
> On the one hand, I'd commend the idea of using a password manager like
> PasswordSafe, KeePass, or such, to generate and manage the hordes of
> dumb little web application passwords that you get.
>
> If you're just copying-and-drooling the password into place, it really
> isn't important for it to be memorable. And it's notably Good
> Practice to use a different password for each distinct eCommerce site
> - that way if someone steals their plaintext database of usernames and
> passwords, the Evil Hackers won't be able to use your Buy.com password
> to set up purchases elsewhere, or to get into your bank account.
>
> But, on the other hand, you do need to have a reasonably secure
> password on your "Password Safe," and it's not an improvement to
> security if you force people to remember a password that that, if it
> is required to be so long/weirdly-policied that challenges their
> cognitive abilities (and this IS NOT a statement that they're dumb!),
> and they can't remember it. And therefore write it on the infamous
> PostIt! note :-(.
>
> There are entertaining answers out there, here and there; I have heard
> tell of "seriously secure" military sites where they have entertaining
> physical tokens:
>
> A reasonably tamper-resistant token, way too large to fit into a
> pocket, generally chained to the desk, having a Very Long Password
> written on it.
>
> - Intentionally, the password's too long for anyone that they hire to
> remember (e.g. - 256 chars long, or such).
> - They can't carry it out - armed guards prevent that, and the large
> size of the token makes it impractical to hide.
> - No pencils or pens allowed, so they can't write it down.
>
> This sort of approach would quite likely be useful for a Certificate
> Authority wanting to claim "Serious Security." But it is, of course,
> useless to the usual home user.
>
> I'm not sure what to systematically recommend, aside from some bits of
> wisdom that don't necessarily scale :-(.
>
--
Duncan MacGregor -- Toronto --
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list