Re: E-mail passwords from Aron Roberts on 2006-11-15 (Micronet Mail Archive)

From: Aron Roberts <aron_at_socrates.berkeley.edu>
Date: Wed, 15 Nov 2006 19:46:04 -0800 (PST)

On Wed, November 15, 2006 17:29, David Radwin wrote:
> At 4:43 PM -0800 11/15/06, Aron Roberts wrote:
>> "How do I set strong passwords for all of the accounts on my
>> computer?"
>> https://kb.berkeley.edu/kb905
>>... these password tips - or a variant of them -
>>should likely also be helpful as a way to come up with memorable and
>>rules-compliant CalMail passwords, CalNet passphrases, and the like.
>
> I don't think this is what you're suggesting, but just in case it is,
> I would point out that one generic problem with having a single
> person give out passwords (or maybe even hints) to multiple users
> inevitably leads to some consistent formula that ultimately
> compromises security.

Thanks, David, for sharing these interesting experiences and concerns.
Consistent formulas are definitely a no-no. However, I'd assert that
heuristic tips to help users think up stronger passwords - those that
use at least three character classes and don't consist solely of
personally identifiable words or dictionary words, or close variants of
those - are probably better than the alternative, even if the use of
those tips may somewhat artificially constrain the universe of passwords
generated.

The (unfortunate) alternative to providing users with tips and tools
they can use to create strong passwords on their own is something like
this:

  http://news.com.com/2009-1001-916719.html
  Security company identifies that 30 percent of the passwords
  in 10,000 accounts on a regional health care company's servers
  could be identified by a cracking program in just one hour.

Or this:

  http://www.csulb.edu/misc/inside/archives/v58n5/2.htm
  CSU-Long Beach researcher says her research shows that
  60 percent of passwords can be identified by cracking
  programs within several hours.

Aron Roberts
Information Services and Technology

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Wed Nov 15 2006 - 20:06:30 PST

This archive was generated by hypermail 2.2.0 : Wed Nov 15 2006 - 20:06:30 PST