guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

[coderman]

comments?

Creating a secure password:

    o Include punctuation marks and numbers.
    o Mix capital, lowercase and space characters.
    o Create a unique acronym.
    o Short passwords should be 8 chars at least.

Weaknesses to avoid:

    o Don't use a password that is listed as an example or public.
    o Don't use a password you have been using for years.
    o Don't use a password someone else has seen you type.
    o Don't use a password that contains personal information.
    o Don't use words or acronyms that can be found in a dictionary.
    o Don't use keyboard patterns (qwerty) or sequential numbers.
    o Don't use repeating characters (aa11).

Keep your password secure:

    o Never tell your password to anyone or use it where they can observe it.
    o Never send your password by email or speak it where others may hear.
    o Occasionally verify your current password and change it to a new one.
    o Avoid writing your password down.  (Keep it with you in a purse
or wallet if you have to write down the password until you remember
it.)

---

High assurance passwords / exotic threat model interactive auth: use
challenge response for single use Key Encryption Keys containing a
minimum of 128 bits of entropy in a full SHA-512 derived key.  exotic
threat model implies full process for physical, emission,
cryptographic and user interface security.  (i.e. expert level
security infrastructure and flawless identity management).

ideally this would be coupled with a personal vascular scan biometric
device (user centric with vascular auth challenge to open/sign
hardened internal secrets)

the odds of such a device being designed, produced and verified in an
open and full disclosure manner is not high. :P