I personally trust Bruce Schneier’s judgment (as paranoid as he is, he knows what he’s doing) and would think that his system at his website should be reasonably secure. The thing is that you only have to remember one password at a time, and you have all the computational security of a random alphanumeric password. I think.
To be honest, there’s a lot of ways people can get passwords. I can’t remember if it was Mitnick or Schneier who told of a scheme where registration for a site required that you choose a username, password, and some informal survey about what sites you visit the most and where you work. Then they’d go to those websites and “hack your account” by using the exact same username and password.
Plus, I have a feeling that 6 character passwords are easily crackable. 6 characters would take about 16 times faster to crack than an 8, and I think 8 is the threshold of secutiry already. I had a friend who used a 6 character password for his bank account. 10 years later, bam, herpes.
I also don’t think that replacing vowels with l33t will help against brute forcing. People have tried “tricking” the brute forcers by using anagrams of words, not knowing that the crackers were right behind with modifying the brute forcers to check anagrams too. It would be even simpler to do simple letter replacement on a dictionary attack.
I should also point out that the passwords are hardly the weakest link in any security system, and that enforcing strong passwords while neglecting other areas of security is like putting a steel door on a picket fence.
But then again, IANA cryptographer / security expert.
I just started my (ridiculous) annual IT Security Awareness Training. Here’s what it says about passwords:
[quote]
Passwords must be 8 to 14 characters in length and contain characters from at least 3 of the following 4 categories.
[ul][li]English upper case letters: A, B, C…Z [/li]
[li]English lower case letters: a, b, c… z [/li]
[li]Westernized Arabic numerals: 0, 1, 2…9 [/li]
[li]Non-alphanumeric special characters (e.g., punctuation symbols such as ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : " ; ’ < > ? , . /) [/ul][/li]
Do not use names, words, or phrases from any language.
Good examples: 9U3v02A! or wRk@u5Pt0
[ul][li]Do not share individual passwords with anyone.[/li]
[li]If you suspect your password has been compromised, change your password immediately.[/li]
[li]Do not set applications to remember your password the next time you visit the application.[/li]
[li]Do not use any part of a name or a word in any language in your password.[/li]
[li]Do not use the same character more than three times in a row (e.g. ‘AAAAAAA1’ is not acceptable, but ‘A%rmp2g3’ and ‘A%AdmA2g3’ are acceptable).[/li]
[li]Change your password every 90 days. (The system will prompt you.)[/li]
[li]Use strategies such as substitution to make a strong password that you can remember (e.g. 5 for S and 0 for O in the example wRk@u5pt0.)[/li]
[li]Do not use your [job] passwords for any account passwords on systems outside of [the jobsite] (e.g. do not use the same password for any accounts you might use on Internet web sites).[/ul][/li][/quote]
Not mentioned is that each passwords must be different from the last 8 passwords used.
Basically, the lesson is that you can’t password-secure the stupid.
<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
