1996-04-19 - Re: Spaces in passwords

Header Data

From: “Jon Leonard” <jleonard@divcom.umop-ap.com>
To: wombat@mcfeely.bsfs.org (Rabid Wombat)
Message Hash: e4f2cf550e54403a93e677a2f88becd8ceab34690c2a780490bf0d338292c4b1
Message ID: <9604182350.AA16910@divcom.umop-ap.com>
Reply To: <Pine.BSF.3.91.960418190151.603B-100000@mcfeely.bsfs.org>
UTC Datetime: 1996-04-19 05:00:07 UTC
Raw Date: Fri, 19 Apr 1996 13:00:07 +0800

Raw message

From: "Jon Leonard" <jleonard@divcom.umop-ap.com>
Date: Fri, 19 Apr 1996 13:00:07 +0800
To: wombat@mcfeely.bsfs.org (Rabid Wombat)
Subject: Re: Spaces in passwords
In-Reply-To: <Pine.BSF.3.91.960418190151.603B-100000@mcfeely.bsfs.org>
Message-ID: <9604182350.AA16910@divcom.umop-ap.com>
MIME-Version: 1.0
Content-Type: text


Rabid Wombat wrote:

> On Thu, 18 Apr 1996, Jon Leonard wrote:
> > 
> > The exception to this is when you may be overheard typing a password.
> > The space bar sounds different, and an attacker who knows you've used
> > a space has a significantly smaller search space.
> > 
> > So I usually recommend avoiding space, @, #, and control characters
> > when generating passwords.  Have I missed any or gotten too many?  
>
> Why would you want to avoid #, @, etc. ?

Space sounds different, # is sometimes backspace, @ is sometimes kill-line,
and control characters often do strange things.  Those are the only characters
I avoid, though.

For example, if you're using a teletype to change your password on a UNIX
system (or it _thinks_ you _might_ be using one), and use a password of
"O&]z@d#4", you've just set your password to "4".  Control characters are
worse: ^S to lock your terminal, ^D to disconnect -- no fun.

> I have a hard enough time getting lusers to choose non-dictionary 
> passwords that they can *remember* - one technique is to teach sub-100 
> i.q. types to use two words, seperated by a #,@, etc., with a number 
> tossed in: kill#pig1et, which isn't a dictionary word, but has a chance of 
> being remembered without writing it on a sticky note and pasting it to 
> the @#%&ing monitor.

It's hard.  I'd really rather have longer pass{words,phrases} so that there's
the potential for lots of entropy without requiring line-noise for passwords.

Jon Leonard





Thread