The 20 most popular passwords

Duncan MacGregor dbmacg-HLeSyJ3qPdM at public.gmane.org
Tue Jan 26 03:39:00 UTC 2010 

While we are all dumping on our end-users, it is worth remembering that this whole thing came about because
some IT bozos were keeping user passwords in PLAIN TEXT. 

How stupid is that?

Duncan


On January 25, 2010 06:28:55 pm you wrote:
> On Mon, Jan 25, 2010 at 3:53 PM, D. Hugh Redelmeier <hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org> wrote:
> > Most humans cannot remmeber a large collection of distict strong
> > passwords.  Expecting them to do so is just stupid.  Mocking them for
> > failing is rude: the fault is in the system designers.
> 
> Indeed.
> 
> On the one hand, I'd commend the idea of using a password manager like
> PasswordSafe, KeePass, or such, to generate and manage the hordes of
> dumb little web application passwords that you get.
> 
> If you're just copying-and-drooling the password into place, it really
> isn't important for it to be memorable.  And it's notably Good
> Practice to use a different password for each distinct eCommerce site
> - that way if someone steals their plaintext database of usernames and
> passwords, the Evil Hackers won't be able to use your Buy.com password
> to set up purchases elsewhere, or to get into your bank account.
> 
> But, on the other hand, you do need to have a reasonably secure
> password on your "Password Safe," and it's not an improvement to
> security if you force people to remember a password that that, if it
> is required to be so long/weirdly-policied that challenges their
> cognitive abilities (and this IS NOT a statement that they're dumb!),
> and they can't remember it.  And therefore write it on the infamous
> PostIt! note :-(.
> 
> There are entertaining answers out there, here and there; I have heard
> tell of "seriously secure" military sites where they have entertaining
> physical tokens:
> 
> A reasonably tamper-resistant token, way too large to fit into a
> pocket, generally chained to the desk, having a Very Long Password
> written on it.
> 
> - Intentionally, the password's too long for anyone that they hire to
> remember (e.g. - 256 chars long, or such).
> - They can't carry it out - armed guards prevent that, and the large
> size of the token makes it impractical to hide.
> -  No pencils or pens allowed, so they can't write it down.
> 
> This sort of approach would quite likely be useful for a Certificate
> Authority wanting to claim "Serious Security."  But it is, of course,
> useless to the usual home user.
> 
> I'm not sure what to systematically recommend, aside from some bits of
> wisdom that don't necessarily scale :-(.
> 

-- 
Duncan MacGregor  -- Toronto --
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list