On 25 Jul 2012, at 10:09, Ansgar Wiechers wrote: > Mark, > > > Please re-read what I wrote, particularly the second half of it. Is > "Joseph Zebediah Average 4/1/1999" really a strong password?
It is a strong password, unless you believe attackers would regard that format as a promising format to exploit. I think that's unlikely to be a promising format to exploit at the moment. > If not: how > do you prevent users/customers from using a password like that? Well, if you really believe that format is likely, you test for it. > And how > do you prevent a customer's system from being compromised with, say, a > keylogger? Keyloggers are a completely separate question from passwords and operate on a different level. > >> Obviously there's more to it than that, but I didn't think there was >> much disagreement about the ideal form of a memorable and strong >> password. It's a given that your attacker will have an idea what form >> of password to test for, if not the actual password. > > Indeed there isn't much disagreement on what forms a strong password (in > principle). I do fail to see how this could be enforced on a technical > level, though. You can readily enforce minimum length of say 12-16 characters which is a great place to start and of course that says nothing about keyloggers or other infiltrations. If you're assuming that keyloggers are omnipresent, then you've already given up on security. Mark
