[1091] in WWW Security List Archive
Unix links subverting Web security
daemon@ATHENA.MIT.EDU (David M. Chess)
Fri Oct 27 13:03:56 1995
Date: Fri, 27 Oct 95 09:20:02 EDT
From: "David M. Chess" <chess@watson.ibm.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> only one type of password that is acceptable today: random gibberish (mean
> gibberish - nothing phonetic even) created by a RNG seeded by a non
> deterministic source (some good ones available). a really random 8 char
> passwd will make brute force attack not much fun. now do this with 12 char
Unfortunately, a completely random password will make the "walk
casually around in the office memorizing all the passwords written
on post-it notes on the walls" attack work even better than it
normally does. You win some, you lose some. Allowing long
passphrases (PGP model, for instance) seems a better solution;
a somewhat higher plane in the tradeoff-space.
DC (hoping he hasn't accidentally started the Password Thread)
