It was following SANS training last year that I started using a
five-word passphrase with misspelled words. This long passphrase is an
ongoing test of my own patience. While the practice of hammering out a
36-character passphrase does generate some interesting conversation with
folks visiting my office, it also leads to a significant amount of
frustration, and a minor amount of productivity loss, especially when
using iPhones and similar keyboard-less devices.
I think the real purpose of setting a 24+ character passphrase
requirement is to set the stage for a two-factor authentication project
at your institution. After a few months of typing "Festuring monkey
chunks make wormz!", most people will be more than happy to accept the
offer of a USB Smart Card, if only it means that they can use a
7-character numeric PIN instead of that awful passphrase. Really I
think two-factor auth will be unavoidable in our future. It will have
much better acceptance than dissertation-length passphrases. Smart
Cards and One-time-password generators fit the bill outlined by Dean below:
"So we need to be thinking about something that can't be cracked, is useless if intercepted, doesn't impose unacceptable inconvenience or cost, and can't be revealed to a phisher."
Two-factor is not free, but it does not have to cost a fortune, either.
The real trick will be finding a solution that will work with the
majority of our applications.
-J. Greg Mackinnon | ETS Systems Architecture and Administration | x68251
On 8/15/2011 4:41 PM, Dean Williams wrote:
> That cartoon also generated some interesting discussion at the SANS Internet Storm Center, including some good suggestions for strong-yet-memorable-and-typable passwords:
> That SANS write-up also includes a link to another cartoon along the theme of the human being the weakest link in information security. No matter how good security technologies and IT people get at thwarting attacks, it is more and more important for people to use good judgement about giving up their credentials. A call from the "help desk" or an email from "Webmail Team" can be a pretty effective way to crack a password. People are getting better at smelling phish, but the phisers are getting better at cooking them, too. So we need to be thinking about something that can't be cracked, is useless if intercepted, doesn't impose unacceptable inconvenience or cost, and can't be revealed to a phisher.
> -Dean W.