[SOT] {FWD} [Dailydave] Don't use vowels in passwords! (fwd)

Kelly John Rose iam at kjro.se
Mon Nov 11 12:29:13 PST 2013 

The most useful strategy I've seen is to use multiple authentication
methods or the "a few really hard passwords + random statement for each
site."

Ie. you can probably memorize something like

lMB^9Pl!

so use that for the sites and then tack on something like

lMB^9Pl!Ilikeshopping123

Then the probability of actually cracking that password is low, and
unless you are being specifically targeted, even if they got that
password they wouldn't immediately be able to use it on other websites.
It's easy to remember because that 8 digit code you'll type everywhere,
and the ending is always something cognitively easy.

On 11/11/2013 1:40 PM, David Vorick wrote:
> I could see this as being a good strategy if you didn't declare it, but by
> eliminating vowels you reduce the search space.
> 
> It's only a good tactic if people actually switching from using dictionary
> words to using something with higher entropy. More likely though, you'll
> start to see things like 'bbbddq' or 'cmplt sntnce,' and the users will
> still be susceptible to dictionary attacks.
> 
> It's important to remember that a good dictionary attack has a dictionary
> that is much larger than a list of words in different languages, it also
> has common patterns. This sort of restraint probably reduces the usage of
> dictionary words but increases the usage of other common patterns.
> 
> I don't like it.
> 
> 
> On Mon, Nov 11, 2013 at 7:29 AM, J.A. Terranson <measl at mfn.org> wrote:
> 
>>
>> Mildly interesting, for those who have an interest ?
>>
>>
>> //Alif
>>
>> --
>> Those who make peaceful change impossible,
>> make violent revolution inevitable.
>>
>> An American Spring is coming:
>>    one way or another.
>>
>>
>> ---------- Forwarded message ----------
>> Date: Thu, 7 Nov 2013 14:01:15 -0500
>> From: William Arbaugh <warbaugh at gmail.com>
>> To: dailydave at lists.immunityinc.com
>> Subject: [Dailydave] Don't use vowels in passwords!
>>
>> According to the Defense Finance and Accounting Service (DFAS), you
>> shouldn't use vowels in your password!
>>
>> The DFAS web site myinvoice.csd.disa.mil is instituting new password
>> requirements starting tomorrow. The details can be found at the site (if
>> you're willing to read a PDF hosted by DOD that is).
>>
>> DFAS brings us two significant improvements to password/PIN security by
>> forbidding the use of vowels, and requiring that password/PINs be EXACTLY
>> 15 characters long (no more, no less). I'd guess that the first requirement
>> is to prevent people from using dictionary words. The second requirement is
>> probably due to some obscure issue with their use of an Oracle Java
>> front-end.
>>
>> This is from a web site that until recently ( and I believe still does)
>> required the use of IE and Java 6. Logging in use to require clicking
>> through no less than 3-4 security warning pop-ups.
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>
>

More information about the cypherpunks mailing list