On passwords, securtiy and real -sweat, blook and tears- life
A.J. Bonnema
abonnema at xs4all.nl
Sun Apr 30 06:01:28 UTC 2006
Kwan Lowe wrote:
>> A common problem with passwords are their guessabilty (yes, as a
>> non-native English speaker, I too make up words.....). For instance,
>> even though I have taught my daughter to not use dictionary words, names
>> etc, her password for one of the online accounts got hijacked. What
>> happened was, she used: _____ (five underscores) as a password: arghghgh.
>
> I'm not convinced that it's the guessability of passwords that's their downfall.
>>From what I've seen, the biggest problem is clear-text passwords moving naked across
> the Internet. For example, many of us are subscribed to various lists. Many of them
> send a password reminder once a month in plaintext. Many people use the same
> passwords across multiple sites. This means that anyone who has access to the mail
> (the ISP, an administrator, etc.) has access to possible multiple passwords. Then
> there are un-encrypted web logins.
Hi Kwan,
I agree. The downfall of the pass should be near, given these factors.
Probably something with certificates or PKI would be better. Still,
passwords are being used extensively, especially on the net. And the
point is, that not all net-ids-password combinations are innocent, if
they get cracked. Take paypall, banking userids etc.
(I am glad that my bank (a dutch corporation) has userid, password plus
a number per transaction: the number varies for each transaction. It is
not sent in cleartext but in snailmail or sms.)
<big snip> I think I also agree to the rest of your story (although I am
not technical enough to get all of it). The bottomline AFAICS is:
* the tougher the password, the better the protection
* don't use the same password for different sites.
* change your passwords regularly
Obviously there still is the problem of phishing: no matter how strong
your password is, if you succumb to phishing, they're useless. So this
is mainly a point of educating.
And, as one security expert said: it is better to write down your strong
passwords than having weak passwords. So one solution (excluding
phishing) is:
* have an application or a file containing all passwords plus the site
they are used for
* have all passwords be strong
* only remember the password to read the file (or write it down in your
secret diary...)
* being able to read the passwords online and offline
So next, I will start looking for an application to have my passwords in
online.
One other point you made was about the graphics file.
Guus.
--
A.J. Bonnema, Leiden The Netherlands,
user #328198 (Linux Counter http://counter.li.org)
More information about the users
mailing list