Mark, On 2012-07-25 Mark Blackman wrote: > On 25 Jul 2012, at 08:20, Ansgar Wiechers wrote: >> On 2012-07-25 mouss wrote: >>> oh come on! the "users" excuse is wa too old. if your software accepts >>> weak passwords, then the problem is with the software, not the user. >> >> I'd have to disagree on this one. How do you measure strength or >> weakness of a password? >> >> Length? Is "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" strong? >> >> Complexity? Is "Passw0rd" strong? >> >> A combination of the above? Is "JosephAverage4/1/1999" strong? >> >> Frequent password changes? Is "simplepassword##" strong? (## being a >> sequential number) >> >> How do you effectively protect your infrastructure against users or >> (worse) customers writing their passwords on PostIts and leaving them >> around? How do you effectively protect your infrastructure against >> customers getting their own systems compromised? >> >> If you happen to have a solution for this problem, I'm honestly >> interested in learning about it, because I don't see any. > > Isn't the conventional wisdom that a long password consisting of 3 or 4 > common but longer words is sufficient and memorable, along the lines > of the famous XKCD panel?
Please re-read what I wrote, particularly the second half of it. Is "Joseph Zebediah Average 4/1/1999" really a strong password? If not: how do you prevent users/customers from using a password like that? And how do you prevent a customer's system from being compromised with, say, a keylogger? > Obviously there's more to it than that, but I didn't think there was > much disagreement about the ideal form of a memorable and strong > password. It's a given that your attacker will have an idea what form > of password to test for, if not the actual password. Indeed there isn't much disagreement on what forms a strong password (in principle). I do fail to see how this could be enforced on a technical level, though. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
