lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4ef5fec60603260946j7adfa545gd4f70d6c2e4ec3a9@mail.gmail.com>
Date: Sun Mar 26 18:46:25 2006
From: coderman at gmail.com (coderman)
Subject: guidelines for good password policy and
	maintenance / user centric identity with single passwords (or
	a small number at most over time)

comments?

Creating a secure password:

    o Include punctuation marks and numbers.
    o Mix capital, lowercase and space characters.
    o Create a unique acronym.
    o Short passwords should be 8 chars at least.

Weaknesses to avoid:

    o Don't use a password that is listed as an example or public.
    o Don't use a password you have been using for years.
    o Don't use a password someone else has seen you type.
    o Don't use a password that contains personal information.
    o Don't use words or acronyms that can be found in a dictionary.
    o Don't use keyboard patterns (qwerty) or sequential numbers.
    o Don't use repeating characters (aa11).

Keep your password secure:

    o Never tell your password to anyone or use it where they can observe it.
    o Never send your password by email or speak it where others may hear.
    o Occasionally verify your current password and change it to a new one.
    o Avoid writing your password down.  (Keep it with you in a purse
or wallet if you have to write down the password until you remember
it.)

---

High assurance passwords / exotic threat model interactive auth: use
challenge response for single use Key Encryption Keys containing a
minimum of 128 bits of entropy in a full SHA-512 derived key.  exotic
threat model implies full process for physical, emission,
cryptographic and user interface security.  (i.e. expert level
security infrastructure and flawless identity management).

ideally this would be coupled with a personal vascular scan biometric
device (user centric with vascular auth challenge to open/sign
hardened internal secrets)

the odds of such a device being designed, produced and verified in an
open and full disclosure manner is not high. :P

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ