Tim wrote:
On Tue, 2006-04-04 at 00:46 -0500, Mike McCarty wrote:
Should include at least one "special" character.
When telling someone that, you really need to define what you mean by
"special". I know the next bit goes somewhat towards that, but it's
still a bit too vague. You can also get people trying to use characters
that can't be used with some password systems. It would really help if
password systems would accept any character that you can type on the
keyboard.
IMO, these rules need to be enforced by the password system itself.
So, exactly what constitutes a "special" character should be built
into it, and if an invalid character is detected, then a useful
error message should be generated.
Anyway, I wasn't trying to write out a fully comprehensive set of rules.
I was simply stating what I consider to be the minimum security.
Guidelines, not rules.
Another good guide is:
Enforce changing of passwords on at least a monthly basis.
Do not permit re-use of old passwords.
Should not include non-graphic characters (like CR, LF, CTRL-A).
Should be at least 6 and preferably over 8 characters long.
Should be "rememberable".
Should *not* be written down anywhere.
The last two being a key problem. By now, I've amassed about a dozen
passwords that I just cannot remember. Even if I wanted to make
memorable passwords, too many systems are so limited that you can't
easily do it (e.g. passwords are too short, etc.). Then there's the
problem of remembering which password belongs to what account. Writing
them down, or writing down the reminder trick, becomes the only way to
do so.
See my other message about writing down.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!