nanog mailing list archives
Re: Dear Linkedin,
From: Joel jaeggli <joelja () bogus com>
Date: Sun, 10 Jun 2012 00:03:43 -0700
On 6/8/12 16:05 , Alec Muffett wrote:
Does anybody have a good URL explaining that idea? It's been kicking around for many years. I've never seen a convincing writeup.I've tried to do that in another mail - it's in the realms of philosophy more than strategy; like if you're a really security-aware person and take great care you can probably stretch the useful life of a password out to _years_ - but how typical are *you* in that instance?
I have a slide in a presentation I give about oncea year that goes something like: How good does a password/phrase have to be in order to protect against brute-force or dictionary attacks against the password itself? ● Entropy in language. – A typical english sentence has 1.2 bits of entropy per character, you need 107 characters to get a statistically random md5 hash. – Using totally random english characters you need 28 characters. – Using a random distribution of all 95 printable ascii characters you need 20 characters. ● Observation, good passwords are hard to come by.
Does your bank request/require that you change the PIN on your ATM card every few months?ATM cards are not passwords, they are a coarse form of two-factor authentication - You have the card, you have the PIN. You have to possess both in order to transact - at least in in theory. Compare that with the secrecy surrounding the CVV - the "last three digits on the number on the back of the card" which you are "not meant to tell anyone" and which _will_ be different if your card is lost/stolen and reissued. Now _that_ is a password.Security is a tradeoff. I think there are two cases for passwords. I'll call them important and junk. I'm willing to store the junk ones in a file or piece of paper that I'm careful with. I have to memorize the important ones.You know, that's not bad. I am pro-paper for long passwords. I am even-more pro "password safes".I'm only smart enough to memorize a few good passwords. If I change them every few months, they will be less good, or fewer of them.It's harder as we get old. Use technology to aid with the heavy lifting. :-) -a
Current thread:
- Re: Dear Linkedin,, (continued)
- Re: Dear Linkedin, joseph . snyder (Jun 09)
- Re: Dear Linkedin, Scott Howard (Jun 09)
- Re: Dear Linkedin, Jimmy Hess (Jun 09)
- Re: Dear Linkedin, Derrick H. (Jun 08)
- EBAY and AMAZON Brandt, Ralph (Jun 11)
- Re: EBAY and AMAZON Henry Yen (Jun 11)
- Re: EBAY and AMAZON Jo Rhett (Jun 11)
- Re: Dear Linkedin, Alec Muffett (Jun 08)
- Re: Dear Linkedin, Joel jaeggli (Jun 10)
- RE: Dear Linkedin, John Souvestre (Jun 10)
- Re: Dear Linkedin, Joel jaeggli (Jun 10)
- Re: Dear Linkedin, valdis . kletnieks (Jun 10)
- Re: Dear Linkedin, Mike Hale (Jun 08)
- Re: Dear Linkedin, Barry Shein (Jun 09)
- Re: Dear Linkedin, Jay Ashworth (Jun 09)
- Re: Dear Linkedin, Lyle Giese (Jun 09)