I could enforce password complexity on a domain, but how many of my users will remember something more cryptic, e.g. Most of my users seem to use obvious passwords, like their firstname or their child’s name – they are simple and easy to remember, e.g. I was thinking about differing password policies and came up with this (which I tell my users to do). If discovered one could always argue the semantics of “to write down”. I told the users to use password safe and not tell anyone. The help desk was so inured to the requests they did it by rote. A side effect was the obvious potential for social engineering attacks by impersonating another user on the phone and getting the help desk to reset their password. On the other hand it kept the helpdesk in secure employment on the constant flow of password reset requests. Since the conventional wisdom was also that writing down passwords was insecure and so strictly forbidden, it left users with nowhere to turn. This cut no ice with the auditors, who dictated as their textbooks had told them to. It reduced security because it forced people to remember even more passwords, and increased the probability that they would write passwords down on postit notes. The article reminds me of the futile arguments I had as a system administrator with academically trained auditors who insisted I had to enforce password aging – make people change their passwords every month. So your password is only as safe from this sort of prying eye as your algorithm for specificity. For that reason, you should use a better system than one shown above (say, pulling the first four letters of the domain name, keyboard shifting it one row up, then populating every other letter of your passphrase with the result, giving you “DqajJqlatgtLM” – a good password, recontructed in ten seconds from the passphrase and “”). Once you have the pass phrase in your memory, you will not lose it, short of brain damage.ĭisadvantages: An unscrupulous moderator with access to your clear text password at one website (some public bulletin board engines save passwords in the clear), could realize what you’re doing, figure out your specificity algorithm and apply it to other sites you are known to frequent. You only need to remember a single passphrase, and whatever algorithm you come up with to make the password different for each website. It’s just an example here.Īlso, this is not the actual sentence and web-site specifying protocol that I use.Īdvantages: fairly long passwords that incorporate both upper and lower case, and can also include digits. Notes: I wouldn’t necessarily consider Amazon a lower security needs site, as they can store your CC information for 1-click purchasing. Full password for your amazon sign in: “DaJltgtLMadm”.Tack onto the end of that the audible acronym of the website in question: “” becomes “adc”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |