coderman wrote:

Creating a secure password:

o Include punctuation marks and numbers.
o Mix capital, lowercase and space characters.
o Create a unique acronym.
o Short passwords should be 8 chars at least.

Weaknesses to avoid:
o Don't use a password that is listed as an example or public.
o Don't use a password you have been using for years.
o Don't use a password someone else has seen you type.
o Don't use a password that contains personal information.
o Don't use words or acronyms that can be found in a dictionary.
o Don't use keyboard patterns (qwerty) or sequential numbers.
o Don't use repeating characters (aa11).
Remove the last one.
As long as the others are met this one will not add to strength, it will actually reduce it.

Keep your password secure:
o Never tell your password to anyone or use it where they can observe it.
o Never send your password by email or speak it where others may hear.
o verify your current password and change it to a new one.
o Avoid writing your password down. (Keep it with you in a purse
or wallet if you have to write down the password until you remember
it.)
And never label that scrap of paper in any way.
Write it down on an old businesscard or something.
Don't give anyone who finds (or gains access to) your purse/wallet any clue of what
"d0gg13styl3" means or is related to.

<esoteric rant>
High assurance passwords / exotic threat model interactive auth: use
challenge response for single use Key Encryption Keys containing a
minimum of 128 bits of entropy in a full SHA-512 derived key. exotic
threat model implies full process for physical, emission,
cryptographic and user interface security. (i.e. expert level
security infrastructure and flawless identity management).
128 bit entropy in a password requires a long randomized passphrase.
Avoiding accented chars (which is good unless you want to be locked out)
You'll end up with just under 6 1/2 bits per char.
And a password/passphrase meeting all requirements above and being at least
20 chars long isn't very usable.

ideally this would be coupled with a personal vascular scan biometric
device (user centric with vascular auth challenge to open/sign
hardened internal secrets)
Biometrics fail as been shown several times before.
Biometrics require that there's no way of obtaining that information from the user,
or that there's no way to enter this data without the actual user being present.

And even then they fail the actual user has a gun at his temple.

</esoteric rant>

James Longstreet wrote:

Mar 26, 2006, at 12:12 PM, Anders B Jansson wrote:

>And even then they fail the actual user has a gun at his temple.

Frankly, this is true of just about any authentication scheme.

Exactly, so how far should you drive your requirements for an authentication scheme?

Pushing requirements to far will lead to weaker security and higher cost without any gain.

Anders B Jansson wrote:
Biometrics fail as been shown several times before.
Biometrics require that there's no way of obtaining that information
from the user,
or that there's no way to enter this data without the actual user
being present.

And even then they fail the actual user has a gun at his temple.

</esoteric rant>

Then we need to return to the old mainframe concept of duress alarms
(login with a * at the end or alternate login for situations when you
are under duress).

The oldskool ;)