On 5/7/07, Steve Summit <scs(a)eskimo.com> wrote:
Gregory Maxwell wrote:
But what we should be telling people is:
"Use the longest pass*phrase* you can easily type...
Yes, "gWXi$a09" is strong too, but when you try to tell people to use
passwords like that you get "10qpalz," which isn't strong.
Well, I'm not so sure either works. I'm one of the more
security-conscious people I know, and I don't bother with strong
passwords (let alone passphrases) when I register at ordinary
websites -- the risk just isn't there. If you tell me to pick
a strong password I'll just laugh at you.
And if you violently disagree with me here -- that's my point.
This may be an irresponsible attitude of mine, maybe I really
*should* be using strong passwords on every ordinary website I
register with, but: I bet I'm not alone.
If your security strategy depends on users picking a certain kind
of password, you'd better enforce it in software, because I doubt
you'll get enough voluntary compliance otherwise.
_______________________________________________
WikiEN-l mailing list
WikiEN-l(a)lists.wikimedia.org
To unsubscribe from this mailing list, visit:
http://lists.wikimedia.org/mailman/listinfo/wikien-l
One would hope you'd think differently, if you had administrative or
other privileged access to that website? I agree with you in most
cases, my NYTimes password is just abcd1234. I couldn't care less if
anyone else uses the account. But if I were responsible for editing
and maintaining the site, you better bet I'd pick a much better one.
--
Freedom is the right to know that 2+2=4. From this all else follows.