[Cryptography] Best Practices for Passwords
Bill Frantz
frantz at pwpconsult.com
Mon Feb 2 15:59:59 EST 2015
On 2/2/15 at 12:33 PM, iang at iang.org (ianG) wrote:
>So can we come up with a 'best practices' for passwords? If
>these things work as a concept or an idea, surely we should be
>able to write one set of guidelines -- short and sweet so
>people can grok them -- that solves the issue for most people
>most of the time. Right?
>
>Here's my contribution:
>
>
>1. Write passwords down.
>
>
>Man or mouse? Anyone here says they don't know how to do passwords?
I'll take a crack at it. :-)
Use a password manager with the following characteristics:
A significantly different password for each site.
Easy to change a single password (if only to follow political requirements).
Actual passwords not stored anywhere.
See for example <http://www.hpl.hp.com/personal/Alan_Karp/site_password/>.
Note that Alan Karp is connecting the pet name tool, which shows
your name for the site based on its TLS certificate, with site
password. The pet name tool gives significant protection from
common fishing attacks.
See: <https://addons.mozilla.org/en-US/firefox/addon/petname-tool/>
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | I like the farmers' market | Periwinkle
(408)356-8506 | because I can get fruits and | 16345
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos,
CA 95032
More information about the cryptography
mailing list