From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4C2A52E3.1020803@authentrus.com> Date: Tue, 29 Jun 2010 16:09:07 -0400 From: Wes Kussmaul User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> References: <1449883d7baedf2bc03d0857a73b6a98@coraid.com> In-Reply-To: Content-Type: multipart/alternative; boundary="------------000703040507090801090400" Subject: Re: [9fans] offered without comment or judgement Topicbox-Message-UUID: 3a5f5352-ead6-11e9-9d60-3106f5b1d025 This is a multi-part message in MIME format. --------------000703040507090801090400 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Devon H. O'Dell wrote: > 2010/6/29 erik quanstrom : > >>>> I don't understand why modern security systems have an upper limit on passphrase length. >>>> >>> Because people can't remember passwords, and companies don't like >>> employing full-time password changers. >>> >> i don't understand this comment. the length of a password >> is only vaguely related to memorability. long english phrases >> are easy to remember. unfortunately, they are also easy to >> harvest automaticly, so "four score and seven years ago" might >> be a bad password. >> > > The problem is two-fold: > > a) Lay-people are told by all their "computer guru" friends to choose > a password that is difficult to guess. Add numbers, capital letters, > punctuation. Most people don't think in this sort of context, and it > is difficult to remember. > > b) People don't regard the idea as particularly important. I know many > people who routinely forget 6-8 character passwords. > Many banks still use 4 digit PINs on their ATM cards, without problem. Possession is a very important factor. The token that will prevail of course is the phone - even though it denies relying parties the billboard value of a card. Now, will developers be smart enough to isolate the private key from the phone's porous OS? The jury is out on that. wk -- Learn about The Authenticity Economy at http://video.google.com/videoplay?docid=-1419344994607129684&hl=en# --------------000703040507090801090400 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Devon H. O'Dell wrote: 
2010/6/29 erik quanstrom <quanstro@labs.coraid.com>:
  
I don't understand why modern security systems have an upper limit on passphrase length.
        
Because people can't remember passwords, and companies don't like
employing full-time password changers.
      
i don't understand this comment.  the length of a password
is only vaguely related to memorability.  long english phrases
are easy to remember.  unfortunately, they are also easy to
harvest automaticly, so "four score and seven years ago" might
be a bad password.
    

The problem is two-fold:

a) Lay-people are told by all their "computer guru" friends to choose
a password that is difficult to guess. Add numbers, capital letters,
punctuation. Most people don't think in this sort of context, and it
is difficult to remember.

b) People don't regard the idea as particularly important. I know many
people who routinely forget 6-8 character passwords.

Many banks still use 4 digit PINs on their ATM cards, without problem. Possession is a very important factor.

The token that will prevail of course is the phone - even though it denies relying parties the billboard value of a card.

Now, will developers be smart enough to isolate the private key from the phone's porous OS? The jury is out on that.

wk

--
Learn about The Authenticity Economy at

http://video.google.com/videoplay?docid=-1419344994607129684&hl=en#
--------------000703040507090801090400--