Your passwords don’t suck, it’s your policies

[Train]

Your passwords don’t suck, it’s your policies

Interesting take.
http://www.zdnet.com/blog/identity/y...selector-blogs

[jdc2000]

Excellent article. Password policies often DO cause problems.

Some policies are so strict that only completely random character sequences will be allowed. The trouble with those is that no one can remember them, so they end up being written down and/or stored in insecure locations.

While a minimum length is needed to prevent brute force cracking from being successful in a reasonable amount of time, longer passwords are not necessarily more secure if other methods can be used to guess them.

[HAN]

Interesting read.

The question I have is that they claim to be able to recognize patterns. And thus, passwords with patterns are weaker.

I have read claims (on Steve Gibson's grc.com site) that length of a password, with or without a pattern is what matters most (note I didn't say all but most.) This is due to the assertion that the password is not discovered by one or a few characters at a time (like on TV or in the movies) but must be discovered in its entirety.

I am no cryptologist but I don't see how Passfault sees any patterns in lengthy passwords. Certainly the "test" on their webpage is no proof. They are seeing the phrase you type (they are NOT cracking the password in that amount of time!)

I would like to see discussion between some experts on these differing points of view!

[Train]

Like i stated, interesting take!

[Nomad2075]

Really interesting article, will make me think about how secure my passwords really are.

[HAN]

Well, there has been more discussion of this around the web. As I suspected, the PassFault "method" has some serious issues. I place no confidence at all in their theories OR their tool.

This link sums it up very well... http://itknowledgeexchange.techtarge...-length-redux/

[Train]

Nice, glad to see someone did that.