[153617] in North American Network Operators' Group
Re: Dear Linkedin,
daemon@ATHENA.MIT.EDU (Alec Muffett)
Fri Jun 8 19:06:04 2012
From: Alec Muffett <alec.muffett@gmail.com>
In-Reply-To: <20120608223329.4683E80003B@ip-64-139-1-69.sjc.megapath.net>
Date: Sat, 9 Jun 2012 00:05:09 +0100
To: Hal Murray <hmurray@megapathdsl.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> Does anybody have a good URL explaining that idea? It's been kicking =
around=20
> for many years. I've never seen a convincing writeup.
I've tried to do that in another mail - it's in the realms of philosophy =
more than strategy; like if you're a really security-aware person and =
take great care you can probably stretch the useful life of a password =
out to _years_ - but how typical are *you* in that instance?
> Does your bank request/require that you change the PIN on your ATM =
card every=20
> few months?
ATM cards are not passwords, they are a coarse form of two-factor =
authentication - You have the card, you have the PIN. =20
You have to possess both in order to transact - at least in in theory.
Compare that with the secrecy surrounding the CVV - the "last three =
digits on the number on the back of the card" which you are "not meant =
to tell anyone" and which _will_ be different if your card is =
lost/stolen and reissued.
Now _that_ is a password.
> Security is a tradeoff. I think there are two cases for passwords. =
I'll=20
> call them important and junk. I'm willing to store the junk ones in a =
file=20
> or piece of paper that I'm careful with. I have to memorize the =
important=20
> ones.
You know, that's not bad. I am pro-paper for long passwords. I am =
even-more pro "password safes".
> I'm only smart enough to memorize a few good passwords. If I change =
them=20
> every few months, they will be less good, or fewer of them.
It's harder as we get old. Use technology to aid with the heavy =
lifting. :-)
-a
