Path: utzoo!utgpu!watmath!clyde!att!pacbell!ames!mailrus!ncar!gatech!bloom-beacon!athena.mit.edu!jik From: jik@athena.mit.edu (Jonathan I. Kamens) Newsgroups: comp.unix.wizards Subject: Re: Password security - Another idea Message-ID: <8705@bloom-beacon.MIT.EDU> Date: 9 Jan 89 19:37:50 GMT References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <6634@killer.DALLAS.TX.US> <674@ihnet.ATT.COM> Sender: daemon@bloom-beacon.MIT.EDU Reply-To: jik@athena.mit.edu (Jonathan I. Kamens) Organization: Massachusetts Institute of Technology Lines: 41 In article <674@ihnet.ATT.COM> tjr@ihnet.ATT.COM (Tom Roberts) writes: >Analysis: The range of security exposures has been changed significantly; >you will no longer be open to password guessing attacks, because such attacks >will be using a dictionary, not your random password. Your exposure is now >similar to the exposures you routinely subject your house keys and credit >cards to. Is your computer account more valuable than your house or bank >account? With this method you also have a very good likelihood of detecting a >breach of your password (e.g. your wallet was stolen), and can take corrective >measures (change your password). There is one major problem (that i can see) with this scenario. If I have chosen a password on my own, one that I can remember easily, then the only time I think about it is when I type it when I login, and at that point it is completely invisible to me and to anyone else looking over my shoulder (unless they watch my fingers type it -- a good reason to type quickly and pick a password that can be typed quickly :-). However, if I select a complete random password and then write it down on a slip of paper which I keep in my wallet, then I'm not likely to remember the password (especially if I'm a casual user, which is what many of the people who don't select secure passwords are), so I have to take that paper out of my wallet and look at it every time I login. How long do you think it's going to be before someone surreptitiously glances over my shoulder when I take it out to look at it and therefore gets my password? >The only difficulty I know of in this method is that users may not protect >the paper as well as they protect their keys and credit cards. I do not >know how to address this problem. There is no question about this. People will *not* protect their password the way you are claiming they will. This has been proven time and time again. I consider it much more secure to have an easy-to-remember password in the computer than to have a hard-to-remember password in someone's wallet. Just my two cents worth.... Jonathan Kamens MIT Project Athena