One idea in order to avoid post-it-passwords could come from something
like the password generator Nic Wolff developed.
It works for generating and quickly accessing passwords for various
Internet sites/domains.
In order to use it you need to remember one main password with which the
algorithm produces a different password for every single domain.
To achieve this, it concatenates the main password with the site name
and it produces the MD5 hash of the resulting string. Simple, efficient
and safe.
Disadvantages of this method is that someone who knows your main
password knows all your different passwords. On the other side users
tend to use the same password anyway, so this kind of exposure is
present with the standard approach as well. Also, in order to regenerate
passwords at log-in, you will have to retype your master password and
that could be annoying.
The advantage is a different and virtually impossible to guess password
for every different site. This concept can easily be adapted to other
situations and provides strong cryptographic passwords.
My opinion is that remembering and keeping to yourself a good main
password, even a passphrase like for example "I will not read /.
everyday", is not such a difficult task. Also, retyping this master
passwords becomes less annoying after 10 or so times.
Nic's page (http://angel.net/~nic/passwd.html) provides a nice
javascript for this and there are also bookmarklets available
(http://chris.zarate.org/passwd.txt) in order to facilitate the process.
Mihai Amarandei-Stavila - Xmco Partners
Consultant Sécurité / Test d'intrusion
tel : 33 1 47 34 68 61
web : http://www.xmcopartners.com
Villa Gabrielle 75015 PARIS
Personal Blog http://secinternship.blogspot.com
Stian Øvrevåge wrote:
God morning list!
I continually read papers which advertise increased password lenghts (
and outrageous complexity requirements ) as The Solution(TM). I work
in a fairly large organization and I can safely acknowledge that even
8 character passwords with moderate complexity requirements are VERY
prone to beeing written un-encrypted and un-hashed on Post-Its, and
then safely contained, under the keyboard, or on the monitor. Which in
my humble oppinion is bordering to "stupid security".
I'm certain that there is a link between required password lenght and
complexity and the probability of users taking the huge leap backwards
and writing passwords down.
I've been doing a little Googling, but I can't seem to find any
scientific analytical/statistical research done on this particular
subject. Is anyone out there aware of any works done in this field? If
not, is there anyone intrested in conducting such a survey on the
behalf of the community?
Regards, Stian
