http://www.hashapass.com/
featured on Digg
http://www.digg.com/security/Too_many_passwords__2
http://angel.net/~nic/passwd.html
is the original as far as I am concerned
and it inspired
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/
and perhaps
http://crypto.stanford.edu/PwdHash/
http://passwordmaker.org
though clearly this idea for password generation is not new
http://www.toolsforselling.com/v1/1/password.htm
Password Management
When we talk about passwords, we usually choose one of two perspectives: the safest and most secure, or the easiest to use. You can get a lot of security by using longer, less predictable, less accessible passwords. Something like a set of 10,000 randomly generated characters that are stored in your memory would be very secure, but it would take more than 30 minutes to type it. Or, you can get something very easy to remember, like the name of your dog, and you will never have trouble getting into your bank account (and neither will anyone else).
What we really want is a balance of the two so we are secure from the casual, economically-minded thief, and so we can recall the password when we need it. We can be inspired by a couple of real world example to understand how we balance these values every day. Consider your front door. It has a lock or two and a key. Generally you remember to take the key with you, but occasionally it could get forgotten, lost, or stolen. The locks will keep most people out of your house, but the door can be knocked down by the police or a determined burglar. Consider your credit card. It fits easily in your pocket or wallet, and requires only a signature or PIN to use. It can be stolen, but you treat it with care at home and at the mall.
See, balance is part of your life. It isn't hard to take it with you online either. You don't have to use randomly generated data for all 200 of your accounts, and you don't have to settle for pets' names.
Your Own Password Policy
Good balance in your password policy means:
- Never sharing a password with more than one organization.
- Never forgetting a password.
- Your password is with your wherever you go.
- Cannot be easily coerced from you, and only with your knowledge of that fact.
- Provides no incentive for bodily harm.
- Does not require a degree in Computer Science to use.
- Can be used for any or most organizations. (Included in the Password Space)
When choosing our own policy we need to consider the limits that applications put on our passwords. Today, that usually means a password at least 6-8 characters long, containing at least one character from each of the following: lower-case, upper-case, and numbers. Sometimes symbols are required; sometimes they are completely excluded.
- The Hash Space contains all combinations for a given set of characters.
- The Attack Space contains all words and combinations of words from the dictionary.
- The Policy Exclusion Space contains all combinations in the Hash Space that are not part of the Policy Space: passwords without at least one character from each of lower-case, upper-case, and numbers, etc.
- The Policy Space includes all combinations in the set given by the Hash Space minus the Policy Exclusion Space.
The organization desires:
- Evenly distributed passwords to reduce the likelihood of a brute-force attack succeeding.
- No passwords in the typical Attack Space.
- No passwords that will break internal password code that may not handle characters beyond alphanumerics.
- Randomly distributed passwords to reduce the likelihood of their choice being predictable.
- No passwords in the typical Attack Space.
0 comments:
Post a Comment