Passwords: does size matter, what characters?
John Abreau
jabr at blu.org
Thu Mar 9 19:12:01 EST 2006
Ted Roche wrote:
> Designing a web site for a client, he asked what the general guidance
> was for passwords. Users are going to be logging into the site (just
> plain http initially, no banking info, SSNs or credit card numbers, all
> that comes after SSL and first round financing). Looking around, web
> sites I visit are all over the place and some are nonsensical (no more
> than 8 characters), others require a minimum of five, six, some allow
> alphanumeric but no punctuation. I usually throw in upper-, lower-,
> numeric and a punctuation symbol or two. Is there some reason to shy
> away from letting the user type whatever they want, assuming you escape
> it properly in HTML and the destination database? Not allowing them to
> use their login ID seems like a good minimal rule.
>
> Are there "commonly accepted guidelines?"
>
What I like to do is generate 16-character passwords with something like
gnome-password-generator, then store them on a usb flash key in
gpg-encrypted files tagged with --for-your-eyes-only. When I need to
look up a password, I run something like the following:
gpg --no-tty --quiet --batch --output - 2>/dev/null foo.gpg | more
--
John Abreau / Executive Director, Boston Linux & Unix
ICQ 28611923 / AIM abreauj / JABBER jabr at jabber.org / YAHOO abreauj
Email jabr at blu.org / WWW http://www.abreau.net / PGP-Key-ID 0xD5C7B5D9
PGP-Key-Fingerprint 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99
More information about the gnhlug-discuss
mailing list