Security Basics mailing list archives
Re: proper password handling
From: Zapotek <zapotekzsp () gmail com>
Date: Wed, 4 Oct 2006 11:43:56 +0300
To be honest I do that too and it seems to be working fine... Although I have more than one special strings, depending on the account. ;) <arrogance>Great minds think alike. </arrogance> On 10/3/06, Robert.Graham () bt infonet com <Robert.Graham () bt infonet com> wrote:
The best solution I ever heard of was from the Security Guru himself, Bruce Schneier: Create passwords with a secret string that you commit to memory, in the middle. Write down the password with everything but this special string. Then, from the user side, it simulates two factor authentication (something you have[the paper] and something you know [your secret string]). Even if the paper is lost or compromised, the damage is minimal. Ideally, once the paper is compromised, the password is changed, but the secret string may be re-used. Best would be to lock up a safe copy so that should the carry copy be lost, that password can be reset easily and quickly. Today, with so many passwords, it's not possible to create strong ones that can be remembered. Robert J Graham | Security Engineer | Global Security Group | BT Infonet | Tel: +1 310 335 4454 | E: robert.graham () bt infonet com | http://www.bt.infonet.com --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
-- __________________________________________________________ http://www.segfault.gr --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- proper password handling Robert . Graham (Oct 03)
- Re: proper password handling Mario A. Spinthiras (Oct 04)
- RE: proper password handling Isaac Van Name (Oct 06)
- Re: proper password handling Zapotek (Oct 04)
- <Possible follow-ups>
- Re: proper password handling krymson (Oct 06)
- Re: proper password handling Gregory Rubin (Oct 10)
- Re: proper password handling Mario A. Spinthiras (Oct 10)
- Re: proper password handling Mario A. Spinthiras (Oct 04)