Is the password dead?

re: Is the password dead?

Steve Lamb — Thu, 30 Dec 2004 18:23:00 GMT

Good article - it's amazing how few people use or have even heard of PASSPHRASES!

RE: Is the password dead?

exyll@hotmail.com (Ramon 'Exyll' Smits) — Thu, 30 Dec 2004 18:55:00 GMT

Smartcards are indeed to future! I already had customers where you can only login with smartcards. Problem with smartcards is that they can become faulty. So this is not really an option for home use.

Smart card are very usefull.. and having your privatekey with you in your wallet is also very handy at times.

I have one super duper secret password. Nobody knows it and I only use this passwords for certain data and where I know that the environment is secure. Then I have a regular password and regular password with extension for password cycles. At home I use Passwordsafe for webpassword.
I think I even am one of the few home users that has alot of data stored encrypted. My regular password is stored at home on paper. If I die.. then people can still access my files except for my super duper safe pasword.. I will definitely take this with me into my grave. I sure hope so that I won't suffer from dementia when I get older :-)

re: Is the password dead?

Brant Gurganus — Thu, 30 Dec 2004 19:23:00 GMT

There is a flaw with smart cards (at least my understanding of them) is that they can be stolen. A password (phrase) that is not written down cannot be stolen without something extreme like torture.

re: Is the password dead?

Kent Chen — Thu, 30 Dec 2004 20:14:00 GMT

Well, there is no perfect solution at all in this world on anything even though someone is always looking for it. It is just like another "You can't have fish and bear palm at one time" (chinese slang).

Everything you need to balance. For most of cases, password lock out is still working to those organizations that don't have that much chance to get this DoS attack, but for others, not using it may be better. If that happens the only way to still make sure you are secure seems to be giving more complex password or pass phrase.

By the way, pass phrase is really a good idea to enhance the power of password. However, you need to balance it as well. Not everyone can type such long characters into the password fields.

re: Is the password dead?

Bruce — Thu, 30 Dec 2004 20:19:00 GMT

Kent,

Another big point to your comment about the use of pass phrases is that some (mainly legacy) systems are very limited in the number of characters you can use: Windows 95 is limited to 14 chars for example.

Keep it coming.

Bruce

Steve Lamb

TrackBack — Thu, 30 Dec 2004 21:11:00 GMT

Steve Lamb

re: Is the password dead?

Drew — Fri, 31 Dec 2004 00:03:00 GMT

Right on!

Robert Hensing had a couple of blogposts about passphrases, too. Hope it's ok to post links to those in my comment.
http://blogs.msdn.com/robert_hensing/archive/2004/08/23/218903.aspx
http://blogs.msdn.com/robert_hensing/archive/2004/10/22/246364.aspx

Brant: One of the beauties of smartcards is that they can offer 2 factor auth. They rely on something you have (the physical card) and often also on something you know (your PIN). If someone steals my smartcard for work it means they also stole the cardkey that gets me into the buildings on campus and my bus pass which would upset me a little, but the card alone won't get anyone into my account so I don't have to worry about the thief leaking Windows source code or internal email to the world. The thief would have to steal my smartcard and then still need to torture me to whatever extreme necessary. That would upset me even more than losing my bus pass.