Subj : FidoGazette Vol 11 no 32 Page: 5 To : All From : Janis Kracht Date : Wed Aug 09 2017 17:06:30 Like I said, Years Ago.... By Janis Kracht, 1:261/38, janis@filegate.net I found the following article regarding computer passwords and their current "failings" and thought it could be of interest to many here. It was never a good idea to use short words or common-use words for passwords, we all know that. Passwords composed of short words or familiar words turned out "bad" for passwords. It is something I've always said, and IIRC, I wrote an article about it for this 'zine long ago - generally speaking, it's better to come up with some random phrase and use the first letters of that phrase for your password. The basic idea was don't use any "one word" if it's recognizable as a word, regardless of it's length.. Some people think they are safe with passwords like that if they stuff the word with various numbers, upper case/lower case substitutions.. say, like P1CKL3 for PICKLE. Rather, the best way to create a password is to use a random PHRASE, one that makes NO sense, and take the first letters of that phrase to make your password. Another key here is also to use a password manager so that you are not tempted to use some close variation of the one you've come up with when you need another password... :) Using a password manager to store the passwords from your various devices really is a necessity. The example for the type of phrase one should use, that I remember giving in my earlier article was something like, "Jack wants chocolate cake, I'll take two". I'm glad to see someone else agrees with me about this :) I think it is also great that the emphasis in this article is not the benefit of "frequent password changes", because frequent password changes may actually lead to a false sense of security. Here's the article I found on the BBC: =-=-=-=-=- The author of an influential guide to computer passwords says he now regrets several of the tips he gave. Bill Burr had advised users to change their password every 90 days and to muddle up words by adding capital letters, numbers and symbols - so, for example, "protected" might become "pr0t3cT3d4!". The problem, he believes, is that the theory came unstuck in practice. Mr Burr now acknowledges that his 2003 manual was "barking up the wrong tree". He disclosed his views in an interview with the Wall Street Journal. Current guidelines no longer suggest passwords should be frequently changed, because people tend to respond by making only small alterations to their existing passwords - for example, changing "monkey1" into "monkey2"- which are relatively easy to deduce. Furthermore, it has been demonstrated that it takes longer for computers to crack a random mix of words - such as "pig coffee wandered black" - than it does for them to guess a word with easy-to-remember substitutions - such as "br0k3n!". Mr Burr's original advice was distributed by the US government's National Institute of Standards and Technology. It has since been amended several times, with the most recent edition being released in June. "Anything published under the Nist banner tends to be influential, so these guidelines have had a long lasting impact," said Prof Alan Woodward, from the University of Surrey. "But we've known for some considerable time that these guidelines actually had a rather unfortunate effect. "For example, the more often you ask someone to change their password, the weaker the passwords they typically choose. "And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems." Britain's National Cyber Security Centre issued its own guidance on the matter in 2015. It recommended that organisations abandoned a policy of pushing their users into regular password resets, and that they should support the use of password managers - programs that securely store hundreds of different logins, avoiding the need to memorise each one. "It's good that password advice is now being updated to be based on evidence," said Dr Steven Murdoch, from University College London. "But there is still traditional advice in other areas of computer security being perpetuated despite us knowing it won't work. "We need research to tell us what security advice will actually improve the situation, and for the government and companies to pay attention to results." http://www.bbc.com/news/technology-40875534 FIDOGAZETTE Vol 11 No 32 Page 5 August 09, 2017 ----------------------------------------------------------------- --- BBBS/Li6 v4.10 Toy-3 * Origin: Prism bbs (1:261/38) .