[unisog] Password policies
jmlistacct at gmail.com
Thu Apr 20 14:25:18 GMT 2006
I am a big fan of the passphrase approach. If you ask users to create
a phrase that is 4-5 words long, with one misspelled, you end up with
a password that is very hard to compromise and without a ton of
special characters to remember.
For example "My dog gets fleas in the Summr" is long enough that brute
force isn't practical, and the misspelling makes a dictionary attack
impractical. And it's very easy to remember, so users are less likely
to write them down.
The only weakness is if they exclude a misspelling (or a randomly
placed character of some kind). If one is not included, my 31
character password essentially becomes a 7 character password.
More information about the unisog