[unisog] Password policies

jmlistacct@gmail.com jmlistacct at gmail.com
Thu Apr 20 14:25:18 GMT 2006


I am a big fan of the passphrase approach.  If you ask users to create
a phrase that is 4-5 words long, with one misspelled, you end up with
a password that is very hard to compromise and without a ton of
special characters to remember.

For example "My dog gets fleas in the Summr" is long enough that brute
force isn't practical, and the misspelling makes a dictionary attack
impractical.  And it's very easy to remember, so users are less likely
to write them down.

The only weakness is if they exclude a misspelling (or a randomly
placed character of some kind).  If one is not included, my 31
character password essentially becomes a 7 character password.

Jacob



More information about the unisog mailing list