?

Log in

No account? Create an account

Previous Entry | Next Entry

Comments

( 7 comments — Leave a comment )
(Deleted comment)
meglorien
Feb. 4th, 2012 06:44 am (UTC)
This is very interesting. I'll remember it now that I have to set a new password at the uni. I've been racking my brain to use something I'll actually remember in two months, after not having used it for all that time...
philmophlegm
Feb. 4th, 2012 01:01 pm (UTC)
I'm not convinced that XKCD is completely right though. (And here I need to stress that although I do have some training in information risk management, I'm certainly no mathematician...)

Surely if you give the computer in the second example a dictionary, it would be able to search for a [random number of random common words of random length in random order] and this would be quicker than searching for [random number of random characters]? Or is that in fact what is going on? Some mathematician needs to comment on this. My A-level statistics is a long, long time ago...
knirirr
Feb. 4th, 2012 09:50 am (UTC)
Do your employers also make you change your password yearly and keep a record of the previous ones you've chosen so you can't simply alternate each year?

philmophlegm
Feb. 4th, 2012 12:48 pm (UTC)
I wish. We have to change our network passwords (the same password must be used to wake your computer up after the screen saver has come on, and for several intranet sites and to access the internet, so it gets used a lot) every x* days and our enter-when-you-turn-the-computer-on-before-it-even-starts-booting-BIOS-level-password every x days too. And for VPN access, we have a little device that [CENSORED]* which you have to combine with a PIN.

Oh, and the password cannot even be [CENSORED]* to the last [CENSORED]* passwords.


* I'd tell you more, but I could get into trouble. Yesterday when the new policy was announced on the Europe-wide news page on our intranet, I started a discussion about it on our internal discussion forum. This post included copying-and-pasting the new password criteria from the news article. What I didn't know was that our internal discussion forum is externally hosted** which meant that technically I was posting a JOLF policy on an external site. This was a serious enough crime that the Head of IT Security himself rang me up to tell me to remove the post!

** Which begs the question "Why is our internal discussion forum externally hosted and not just an intranet page like it used to be?"
bunn
Feb. 4th, 2012 10:02 am (UTC)
I tend to make up the names of monsters in my head for passswords. Like:

Amphonaroon
Mystophylax
Temaraparsiflax
Toastnjamivore
Pertonosaurus
Fievelynumpter

Would definitely be lost without my encrypted password manager... No matter what the password creation system was, there is no way I would be able to remember several hundred of them!
philmophlegm
Feb. 4th, 2012 12:54 pm (UTC)
None of those passwords would be robust enough.

I thought about an encrypted password manager. I'd need something that works without the computer being turned on though. There are probably iPhone apps. Although then I'd need to keep the thing charged up and since the battery life is far from brilliant, that isn't always the case.

I can't imagine that in a firm of 10,000 people (that's just in this country, and I assume that the policy will be the same in the other JOLF Europe countries) that I will be the only one who struggles with this.
( 7 comments — Leave a comment )