[unisog] Password policies

Eric Rostetter rostetter at mail.utexas.edu
Thu Apr 20 18:58:47 GMT 2006

Quoting Sheila Hollenbaugh <sheila.hollenbaugh at wright.edu>:

> We have machines which only recognize the first 8 characters of the
> password.  You can have longer passwords, but only the first eight
> characters are significant.  So character substitution is not viable if
> the first eight letters are a dictionary word.  And requiring 20
> characters is not useful.

You simply change the rules slightly.  The example phrase

"I think frequent password changes are useless!"

Could become "Itfpcau!" or "Itfpcru!" or "Itfqpwcaul!" and so on.
I'm simply taking the first lett of each word, or first letter of
each syllable, or substituting easy characters like "r" for "are"
or "2" for "to" and so on.

For the sample phrase, I might use "4Itfpwdcru!" for example, or
some shorter version of that (using "p" instead of "pwd") if needed
for length restrictions...

One of the easiest ways to remember a password is to make a phrase
you can't forget, and then use that phrase in some way (combining things
like first/last letter of each word, simple character substitutions,
capitalization changes, doing it backwards, etc).  Note I said "combining"
methods, as one method alone may not be secure enough.

I actually generate random passwords which have some meaning to me.
By which I mean, I have a function that creates strings from data
obtained from /dev/random and prints out about 100 such strings. Of
those 100, I can usually find 1 or 2 which seem to me to be a pronouncible
word, represent some strange phrase, etc.  So I pick one of those and
use it.  I rarely forget a password I've generated this way...  And they
do make really secure passwords...

Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!

More information about the unisog mailing list