[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Spaces in passwords



Rabid Wombat wrote:

> On Thu, 18 Apr 1996, Jon Leonard wrote:
> > 
> > The exception to this is when you may be overheard typing a password.
> > The space bar sounds different, and an attacker who knows you've used
> > a space has a significantly smaller search space.
> > 
> > So I usually recommend avoiding space, @, #, and control characters
> > when generating passwords.  Have I missed any or gotten too many?  
>
> Why would you want to avoid #, @, etc. ?

Space sounds different, # is sometimes backspace, @ is sometimes kill-line,
and control characters often do strange things.  Those are the only characters
I avoid, though.

For example, if you're using a teletype to change your password on a UNIX
system (or it _thinks_ you _might_ be using one), and use a password of
"O&]z@d#4", you've just set your password to "4".  Control characters are
worse: ^S to lock your terminal, ^D to disconnect -- no fun.

> I have a hard enough time getting lusers to choose non-dictionary 
> passwords that they can *remember* - one technique is to teach sub-100 
> i.q. types to use two words, seperated by a #,@, etc., with a number 
> tossed in: kill#pig1et, which isn't a dictionary word, but has a chance of 
> being remembered without writing it on a sticky note and pasting it to 
> the @#%&ing monitor.

It's hard.  I'd really rather have longer pass{words,phrases} so that there's
the potential for lots of entropy without requiring line-noise for passwords.

Jon Leonard