Security - Secure Passphrases
Many times I have been to a business where there are passwords stuck to the rack cabinet, desk, and monitor. Generally a secure password must be more that 8 characters, using letters(Aa), numbers(123), and symbols (!#@), and most importantly not stuck to the side of a cabinet. Generally the passwords given out to the user are randomly generated by a password generator which most users look at you and say "huh! you want me to remember this". So how do we overcome the end users tendencies to write down our "secure" passwords, simple make an easy to remember pass phrase with a twist.
Scenario
Susan the front desk office worker likes to paste her passwords on her monitor which is given to her by the IT department. I asked her a simple question like:
Me "Susan, I noticed that you have a book on knitting, do you knit?"
Susan "Why- yes, I love to knit!"
Me "What is your favorite knitting style?"
Susan "I love knitting long tail cast on"
Me "Susan here is your new pass phrase longtailcaston"
From two perspectives the above pass phrase is both ultra secure and ultra insecure from a brute force point of view it would take years to crack. From a cryptanalysis point of view potentially a few seconds (ref. to RainbowCrack).
Lets look at the alphabet and draw on numerical and symbols to re secure the pass phrase.
Original: longtailcaston
Simple: l0ngtailcast0n the letter o has been replaced by the number 0
Good: l0ngt@ilc@$t0n now the letters a and s are replaced by @ and $
So the user only has to remember longtailcaston and to replace the appropriate characters. Easy and personal to the user and secure enough to protect against writing it down (hopefully), brute force, and cryptanalysis. I have included a quick perl primer here
Creating IT Harmony
Scenario
Susan the front desk office worker likes to paste her passwords on her monitor which is given to her by the IT department. I asked her a simple question like:
Me "Susan, I noticed that you have a book on knitting, do you knit?"
Susan "Why- yes, I love to knit!"
Me "What is your favorite knitting style?"
Susan "I love knitting long tail cast on"
Me "Susan here is your new pass phrase longtailcaston"
From two perspectives the above pass phrase is both ultra secure and ultra insecure from a brute force point of view it would take years to crack. From a cryptanalysis point of view potentially a few seconds (ref. to RainbowCrack).
Lets look at the alphabet and draw on numerical and symbols to re secure the pass phrase.
Original: longtailcaston
Simple: l0ngtailcast0n the letter o has been replaced by the number 0
Good: l0ngt@ilc@$t0n now the letters a and s are replaced by @ and $
So the user only has to remember longtailcaston and to replace the appropriate characters. Easy and personal to the user and secure enough to protect against writing it down (hopefully), brute force, and cryptanalysis. I have included a quick perl primer here
Creating IT Harmony
