On 5/7/07, Steve Summit scs@eskimo.com wrote:
Gregory Maxwell wrote:
But what we should be telling people is: "Use the longest pass*phrase* you can easily type... Yes, "gWXi$a09" is strong too, but when you try to tell people to use passwords like that you get "10qpalz," which isn't strong.
Well, I'm not so sure either works. I'm one of the more security-conscious people I know, and I don't bother with strong passwords (let alone passphrases) when I register at ordinary websites -- the risk just isn't there. If you tell me to pick a strong password I'll just laugh at you.
And if you violently disagree with me here -- that's my point. This may be an irresponsible attitude of mine, maybe I really *should* be using strong passwords on every ordinary website I register with, but: I bet I'm not alone.
If your security strategy depends on users picking a certain kind of password, you'd better enforce it in software, because I doubt you'll get enough voluntary compliance otherwise.
WikiEN-l mailing list WikiEN-l@lists.wikimedia.org To unsubscribe from this mailing list, visit: http://lists.wikimedia.org/mailman/listinfo/wikien-l
One would hope you'd think differently, if you had administrative or other privileged access to that website? I agree with you in most cases, my NYTimes password is just abcd1234. I couldn't care less if anyone else uses the account. But if I were responsible for editing and maintaining the site, you better bet I'd pick a much better one.