> > And extra points if it prevents use of passwords too close to the > > previous password(s), > > Doesn't that require keeping a copy of the password in a form > that can be decrypted? Or, at least, compared against with some sort of "nearness" comparison, which is really hard to do with one-way encryption. Excellent point! > That seems much more dangerous than > the chance of the next one being somewhat similar. Yes, storing passwords on a computer is dangerous. Of course, not storing them on any computer makes it very hard to use them. > > Why does the concept bug me? Why do I think that if it's machine > > generated and easy to memorize it's going to be easy to brute force? > > If computers can't do things better than you would yourself, why > are we bothering to use them? Excellent point!!! (Sorry, I got carried away there.) > > Anyway, helping the user at least set a password other than the typical > > "password" sort of password will be sort of an improvement, at least for > > a little while. > > It's hard to reconcile this comment with the previous one that > implied that the user would do a better job than pwgen... I agree. Self-spreading and social-engineering malware reveals the evil in the 666 permissions Microsoft has about the internet, but it's really hard to argue that securing things is anything but a temporary fix. Almost a year ago, I wrote a little half-baked rant on my personal site about how the manufacturers of personal computer OSses should help the user set up his or her password. But it's just a band-aid. Unfortunately, computers being what they are, and people being what they are, I don't see anything else to do, other than change the bandaids. Anyway, for now, helping the user set better passwords seems like a good idea. Pretty soon the black hats are going to analyse the algorithms used by those user-helper mini-apps and be able to guess about half of the passwords generated. Physical tokens can be broken the way locks can, so the people who advocate those (and keychains!) are not really advocating anything with any permanent security. Security is an illusion. But failing to be secure is not an answer. I guess I need to add a little bit to my pages, for the next level. -- Joel Rees <rees@xxxxxxxxxxx> digitcom, inc. 株式会社デジコム Kobe, Japan +81-78-672-8800 ** <http://www.ddcom.co.jp> **