Conference 7.286::digital

 RE: 0 dave
>>>    This basenote has expired.
>>>    Please enter new basenote: 
GET_BACK_TO_WORK_DAVE_LUNCH_HOUR_IS_OVER!             


%SET-F-INVBSNLEN, basenote length must be between 250 and 255 characters; 
basenote not changed
$ 

Sorry, I couldn't resist!  :^)

    Please don't take this issue up with system management. They are
    only following standards which they are measured against. Take
    your issues up with Corporate Security which defines the standard.
    
    Jim C.
    

I've tried to use the argument "but I'll have to write the
generated passwords down".  The answer, which in my opinion
is a valid counter-argument, is that there is indeed an
exposure from people who can look into my desk drawer, or
in my wallet (depending on where I choose to keep the list),
but the rules strengthen protection against network breakins,
which are by far the greatest threat.

    For me, they're not passwords.  They are now passsentences.
    What was a bother has now become a feature as I typically use the
    opportunity to secretly express my rage at having to type in and 
    remember so many characters.
    
    Steve

I thought the corporate security standard said:

	Account type   Password Length	 Password Expiration
	------------   ---------------	 -------------------
	Nonprivileged   8		 90 days
	Privileged     15		 30 days

At least this is what is enforced by DECinspect, er, POLYCENTER Compliance
Manager, which enforces the Digital corporate standard.

Anything more, including requiring longer or system-generated passwords, is not
required but is at the option of your system manager.

Paul

I love this issue.  I currently log into at least 5 different accounts on
a daily basis, not to mention 2 different voicemail accounts! and Lat
passwords and WATN passwords and dial-in passwords . . .

I try to keep some characters the same on all the accounts and modify only
a few of them.  It also helps to keep them synchronized so you can change 
them all at the same time.

This is a real hot button for me.  Instead of designing the software to
be more bulletproof, all the burden is put on the 99.99% of the folks who
have no bad intentions at all, but just want to get their work accomplished.

Pfui!!

    Wonder if the standard password guessers check things like-
    "verylongpassword"
    "whytypeallofthis"
    "fifteen****ingcharacters"
    
    Ken

Well, Maxine, that just goes to show that software can only be just so
bullet-proof, and no more, I guess . . . . :^)

The matter becomes even worse with passwords for things that are very rarely
accessed. Only by sheer luck do I ever remember my SMS password or my
ELF password between the infrequent uses of them that I might make.

We used to preach to our customers that there was a tradeoff that they
needed to evaluate and make on an individual basis with respect to
security vs. flexibility/friendliness. Over the last five years I note that
we internally have opted for the "security at all costs, convenience be
damned" attitude. I've never quite been convinced that the decision was
at all really justified, either, but I guess there are more critical
things for me to concern myself with than the minor loss of productivity
attributable to this nonsense.

In line somewhat with the recent comment about using pwd's to express ire,
I value the fact that passwords are one of the few places on the Enet where
we can use recognizeable obscenities with impunity. :^)

-Jack

>                  -< How many 15 letter words do you know?? >-

As was pointed out, the answer is passsentences.
One from my distant past (which can never be used again) was:
15CHARACTERPASSWORDSSUCK.  So its a bit more to type,
It wasn't hard to remember at all! ;-)  Its really not hard to think up a 15
character phrase.

The best response to the problem of lots of accounts on lots of machines
(and the standard here is that you may NOT use the same password on more than
one machine/account)  Was a friend who used an electronic organizer to
keep a table of systems/accounts/passwords.  The organizer was always with him
(he referred to it as his "brain in a box"), and it had a security feature
which prevented the casual person from getting a peek.  What I don't know
is what he did when the batteries ran out :-(

Kevin Farlee

    when i change my password (i mean when the computer tells me to change
    it) the computer gives me that list of words to choose from, so i try 
    to pick one that is common , not like so stupid that no way i could
    even remember , so i keep hitting return and keep getting new list of 
    words to choose from, until i finally find one that is easy to remember, 
    one time i remember like spending the whole weekend hitting returns until i 
    finally got one that is easy to recall.

    please note too on a related issues that our brains has enough storage 
    capacity, you can put in it so much, this is a true medical and 
    scientific informations from the worlds top physicians, after you reach the 
    plateau of the brain memeory, things will start to spill over, and that 
    is why i think this keeping changing the password every 4 weeks or so 
    is putting more undue stress on our memory and brains and lives in 
    general and that is why people dont like it as before.

    hope this helps

    \bye
    \nasser

re Note 2377.4 by ECADSR::SHERMAN:

>     For me, they're not passwords.  They are now passsentences.
>     What was a bother has now become a feature as I typically use the
>     opportunity to secretly express my rage at having to type in and 
>     remember so many characters.
  
        Oh, you do that too?  That's my "password architecture" as
        well!

        Actually, it has resulted in another security benefit.  I am
        very reluctant to give my password even to the most trusted
        person for the most important business reasons, since my
        "passsentences" often contain unsavory language.  :-}

        On the other hand, only a small part of my "passsentence"
        changes each time I am required to change.

        Bob

    re: .12
    
    >    On the other hand, only a small part of my "passsentence"
    >    changes each time I am required to change.
    
    Yabbut.  Let's not give that little secret away.  Then they'd change
    the system so that it's not easy to do.  For those that haven't figured
    it out ... well ... 
    
    Steve

    
    But how would you like to log in some Monday morning and find out 
    that there was NOTHING in your account, or that ALL the files had
    been trashed.
    
    IMHO, it is a VERY small price to pay for security.  I have another
    "sceem" for passwords, but if I tell you, then it won't be secret
    anymore.....so theeeere!!!
    
    OH, BTW, I heard that the password software is going to check for
    obscene words being used, and will report you to the ethics VP.
    
    

    ><<< Note 2377.11 by STAR::ABBASI "i think iam psychic" >>>
    
    >-< my views on this subject >-
    
    >hope this helps

    	No sir, it doesn't.
    
    	Jodi-who hates having to remember so many "passentences"

    

    i.s. management has routinely over the last 10 years looked at obscene
    passwords and reported same to employees managers!

re: .14
    
>>    But how would you like to log in some Monday morning and find out 
>>    that there was NOTHING in your account, or that ALL the files had
>>    been trashed.
    
    Hmmmm, how would you like to try and login and find out that someone
    changed your username with NO prior notice ?    This happened this
    week to my cube mate.

    re: .16
    
    It's been a very long time since I took VMS internals, but I thought
    user passwords were both encypted and hashed to some fixed-length
    (32/64 bits) object.  Even if I'm wrong about the hashing, the
    encyption algorithm (as I recall) was one-way; you can not determine
    the password by examining the encrypted value, and there are more than
    one password which will yield the same encrypted values.
    
    I distinctly remember the analogy taught at the time: VMS throws your
    password into a bucket of water and remembers what the splash sounds
    like. Every time it needs to validate your password, it throws the user
    response into the same bucket of water and compares the sound of the
    splash with the one it recorded.  If they sound the same, the password
    is valid.
    
    Of course, I could be all wet here. I'm sure some techno-dweeb engineer
    who actually works with this stuff or took internals since VMS V4 was
    brand new will correct me if I'm wrong.  Like I care.
    
    Al
    

re: .14, "Empty account on Monday AM"

Personally, I'd be more concerned about the integrity of the last backup
and of the operations people, than about the security issue.

re: Obscenity checkers

We missed the smileys, but I'm sure you intended them. It's pretty obvious
that an obscenity checker in a password mechanism is as bad as, if not worse
than, a trap door.

re: .18, Al K.

Your recollection is pretty accurate. Respectfully, your friendly techno-dweeb.
:^)

-Jack

    Reporting in from the "Brain-in-the-box"
    
    I'm the one Kevin was referring to back in reply .xx, and I put all my
    systems paswords into this CASIO organizer. I remember 1 password,
    which I change occassionally (mostly to annoy my wife  :-), and have
    changed the batteries several times - CASIO was smart: there's 3, which
    you change 1 at a time. 
       Yeah, sure, one can drop it, or erase the info, or... but it hasn't
    happened yet. I'll cross that bridge when I get there.
    
       More to the point - all 25 passwrods are in there, and when I come
    back from vacation, I reset my memory, and am fine.
       Personally, I've held the opinion that if DEC was really serious
    about security, they'd buy each of us one of those 50 name/number
    credit card thing-ies, and let us put all our passwords in there.
       For that matter, if DEC was *really* serious, we'd build in card
    readers into the monitors (or system boxes), and you'd have to scan
    them and have a retinal scan before using the ....
    
    <slap>    <slap>   
         Oh,  agh -- huh...... where am I!!???   Oh. whew --
    
    heck of a nightmare there....
    
    :-)   bwe

Re .19:

>Personally, I'd be more concerned about the integrity of the last backup
>and of the operations people, than about the security issue.

Bingo.  In the 12+ years I've worked here, I've never met anyone who lost files
from intruders, but I've seen 4 projects lose weeks or months of work because
operations wasn't backing up their disks.

Of course, you'd think the priorities would shift once it became obvious how
dangerous intruder-inserted Trojan Horses are.  But:

1.  There's still very little protection against password collection by
eavesdropping on Ethernets around here.

2.  I've never worked in a Digital organization where system management put a
record of every computer account in an individual's personnel record.  When
someone leaves, seldom are anything but their local accounts independantly
disabled.

3.  Even in 1993, group accounts where everyone knows the password "in case I
have to submit the build batch job" are all the rage.  It's the exception when
those passwords get changed when someone leaves.  We just hope that everyone
will list all the accounts they have in their exit interview, and cross our
fingers.
				/AHM

    OK, so real computer passwords are A Good Thing.
    
    But why the ^%&* do I have to have a fifteen-digit password
    on my voicemail account?   I don't care if anyone hears
    my phone messages.  I don't care about the risk of someone 
    sending a voicemail message pretending to be me.
    
    It does a great job of keeping me out of my own voicemail
    though.  Once again, it's got irked because I don't use it
    often enough, and decided to stop letting me in.
    
    What a system.
    

  Don't get me started talking about Voicemail. On our system, you only need an
8-char password, so I suppose I'm lucky.
  I feel that the need to remember several 16-character passwords, and a new
set of same every month, discriminates against people who don't have good
memories. Believe it or not, it is possible to have a poor memory for things
like that and still be smart enough to excel in your job. 

    .23

    >it is possible to have a poor memory for things like that and still be 
    >smart enough to excel in your job.

    i agree too, i think people with bad memories is a sign for high IQ,
    i read that Einstine could not remember his home phone number too,
    and he used to forget to tie up his shoes, also many other smart people 
    were like that, they forget things, i also read that Netwon used to forget 
    where he was going to when he walked around in Cambridge univ. one day 
    he had to ask his friend if he had already had his lunch because he 
    forgot if he did or not. 
    
    \bye
    \nasser


    

re Note 2377.19 by 11SRUS::DELBALSO:

> re: .18, Al K.
> 
> Your recollection is pretty accurate. Respectfully, your friendly techno-dweeb.

        I would hope that the password history mechanism is likewise
        encrypted, and that real (former) passwords are not stored in
        the clear.

        Bob

    Yes, password proliferation is terrible, and it is an expanding fact of
    hi-tech life.  What is to be done?  Surely we can't let our guard down,
    in an increasingly internetworked world, and in a downsizing company.
    
    Customers I visit with as part of the Engineering Interface Program
    regularly beat us (and our competition!) up on this same point -- they
    can't keep track of all their ever-changing, ever-lengthening, non-
    reusable passwords either.  The last time out, several major accounts
    mentioned a nifty solution, which happens to have been invented by an
    old friend.  I have no financial interest in it, but a considerable
    intellectual admiration for the technology, which frankly is the best
    I've seen.  
    
    My "password" now changes once a minute (!!).  I get it from a
    badge-sized gizmo that I now carry around with me, along with my DEC
    badge and NCS> card.  Without it, I can't log in.  It's enhanceable
    such that I must demonstrate something I *know* -- my PIN -- by
    entering it into something I *have* -- my "SecurID" card from Security
    Dynamics Inc. (SDI) of Cambridge MA. 
    
    I now use it on my DECpc325P laptop, in a product SDI co-developed with
    the Fischer International "WatchDog" product.  I could also be using
    the same token on all my VMS and ULTRIX accounts, if I could but
    convince various SysAdmin's to give it a whirl.  (For this reason, it's
    superior imho to the DataMedia "SecureCard" product we sell for PCs,
    too.)  
    
    My PC's data are secure against any thief who might steal it; with the
    associated SW (no HW changes whatever are needed on the laptop), you
    can boot up from its floppy drive, but you can't see the built-in hard
    drive.  You can't boot up from the internal drive without having the
    SecurID card around, from the LCD display of which the number must be
    entered.  If you rip out the hard drive, you'll find that all the
    really crucial data (my autologin routines for termulation (including
    my EasyNet password(s)), my Corporate AT&T Credit Card #, WATN group
    account and password, etc.) are all DES-encrypted on disk; my company-
    private docs are encrypted too, but slightly more efficiently.  When I
    use it "normally," it's completely transparent to me.
    
    It's not a perfect system (yet; there's no central administration
    facility for the PC version, but that's soon to come, when the age of
    wireless finally arrives), but it more than meets my needs.  
    
    It needs expansion, such that you authenticate yourself ONCE to a
    Kerberos-like authentication server, which then "vouches for you"
    through public-key encryption, wherever else you go for data.  But for
    now, one can arrange for SecurID-mediated separate logins to various
    data and even telecomms services.  Password problem solved, and
    replaced with the necessity of carrying this encrypted authentication
    token.
    
    Solutions built around this token & system are now in use by many
    businesses and western government agencies in a position to buy the
    best (I can't state them in this semipublic forum, but imagine the most
    security-conscious shops and you'll be OK).  
    
    SecurID technology is not unknown around DEC -- it was evaluated during
    the course of our own "smart-card" R&D, which group has since (as I
    understand it) been disbanded.  It's been incorporated in one version
    of our IP InterNet Gateway authentication service (from DEC-NSL, Palo
    Alto).  There have been some contacts between SDI and the group at OSF
    responsible for DCE and DME, though I don't know of the current state
    of that possible collaboration.  I'm interested in leveraging SDI's
    strong position in encrypted authentication into solving our internal
    (and possibly our customers') problems.  In these days of downsizing
    and outsourcing, it makes sense to me.
    
    If you're interested in learning more, or if you know of SDI and/or
    other solutions in this space, let's correspond.  Pointers to DEC
    groups or NotesFiles concerned with security gratefully received (I
    know of IAMOK::PC_SECURITY).  I can't promise fast response -- this
    isn't my main or only project -- but I'm interested in learning more,
    and perhaps helping.  I believe that SIMPLE encrypted user authenti-
    cation, in the coming age of wireless, PDA's, and the information
    utility -- will be a key technology determining customer preference.
    
    And, returning to this string's topic:  If, to run our OWN business, we
    can't ignore the security requirements that force "password inflation"
    on us, we must imho look outside the current system for solutions.
    

        Re: .6

> This is a real hot button for me.  Instead of designing the software to
> be more bulletproof, all the burden is put on the 99.99% of the folks who
> have no bad intentions at all, but just want to get their work accomplished.

        Please let us know when you find a way to force the bad guys on
        the network use 15 character passwords.  Then we good guys can
        all use 1 character passwords and always be safe from the bad
        guys (I guess you also need a fool-proof way to tell good guys
        from bad guys).

>Bingo.  In the 12+ years I've worked here, I've never met anyone who lost files
>from intruders, but I've seen 4 projects lose weeks or months of work because
>operations wasn't backing up their disks.

        Well, I haven't lost files directly to an intruder, but I've
        been prevented from using my systems because we needed to
        recover from an intruder.

        I agree that good backups are important -- but remember that
        Digital also has corporate security policies that mandate
        backups, and fire protection, and emergency recovery plans. 
        Don't blame corporate security if good passwords don't save
        your files--they try to cover all the bases with policy but
        they don't control the implementation.

        					B.J.

Re .27:

>        Well, I haven't lost files directly to an intruder, but I've
>        been prevented from using my systems because we needed to
>        recover from an intruder.

I wonder whether I've lost more time because we needed to make backups.
(Whoever taught the MR1-2 operators about ^ESET RUNTIME-GUARANTEE should have
been taken out and shot).
				/AHM

    re: .22
    
    Voicemail passwords ... phooey!  I got shafted by that system when it
    changed my password unexpectedly and I was unable to get in touch with
    the person that had the new one.  I was able to tell that I had
    messages, but couldn't do anything about it.  People left messages
    thinking they got through to me.  Ever since then, I've had my phone
    yanked off voicemail and my life is MUCH easier.  I give out my home
    number and have a regular, old, non-password answering machine there.
    People have not had trouble reaching me and can have reasonable
    assurance that their messages got through.  And, they'll never again
    have to worry about the system interfering with our communications.
    
    Steve

    VOICEMAIL is great!  Our group has been able to avoid replacing a
    secretary (they're hard to find) and I have not had a garbled phone
    message in weeks!
    
    Passwords are necessary, but I marvel that we accept a 4 digit password
    on our personal things (like ATM cards).  Shouldn't my money have as
    much protection as my business correspondence?  :-)
    
    Mark

    .30

    > but I marvel that we accept a 4 digit password
    > on our personal things (like ATM cards).  Shouldn't my money have
    > as much protection as my business correspondence?  :-)

    yes, but with ATM they need the card too along with the 4 digits.
    plus, even if they get the card, they have to try from 0000 to 9999
    numbers, that's 10,000 tries at most, on average, they have to try
    5,000 times to guess your number, but most ATM machines will eat your
    card away if it sees you making too many wrong numbers, something like 
    10 times or so and you have to go to the bank and ask for it back.
    
    this is why ATM card is different from computer passwords.

    hope this helps.

    \bye
    \nasser

Re .31:

>... but most ATM machines will eat your
>    card away if it sees you making too many wrong numbers, something like 
>    10 times or so and you have to go to the bank and ask for it back.
>
>    this is why ATM card is different from computer passwords.

Yeah, try mistyping your password 10 times on the STAR cluster and I'd expect it
won't merely activate break-in evasion on your account, it will probably use a
low-level electric current to lock your hands to the keyboard until the VMS
police arrive.
				/AHM

    Passwords I need to Remember (from an administrator):
    
    			Workstation (user & system)
    			VMS Cluster Password
    			Voicemail Password
    			COSMOS Password (office supplies)
    			IPA Password (purchasing system)
    
    			
                        OTHERS:
    			
    			mgr's passwords: (CORE, Cluster
    					  IPA Approval, Voicemail, etc.) 
    
    Then, when we go home we need to remember:
                                                        
    			The DCU PIN Number,
    			the other bank PIN number
    			and any other number we might have!
    
    
    	                                    
    
                                

By the way, how come that Baybank ATMs only parse "passwords"
to the first 4 characters?  Did Dave Cutler ever write
any ATM software?  

Whoops, wrong notesfile...

    .34

    Dave, i know you said that with your tongue in cheeks type of way 
    but that is actually a good question because doctors and scientists
    have found that most human brains can remember 4 items with little 
    problems and 7 just about and that is why also they have the phone 
    number to be 7 digits (without the area code offcourse) and that is 
    why people dont like those 15 letters computer password because they go 
    over the limit of remembering without undue efforts on your part to 
    remember it, so the issues are not that clear cut as it may seems at
    first to the passing eyes.

    hope this helps.

    \bye
    \nasser

RE: .32

	Not so! The electrical current generation software was in Phoenix.
	That went the way of the dodo bird.. But with V6 and the Gammatron
	Disruptor Interface to the audit server, you best be on your best
	behaviour..

							mike
					FORMER system manager for STAR

    For what it's worth, the voice mail systems here in BTO only require
    a 4 digit password.
    
    Larry
    

Here at ZKO, voicemail passwords must be at least 8 characters.  Area code
+ phone number is 10, so I just use familiar phone numbers.  It's very
easy to key in a number you're used to calling.

    
    There is nothing wrong with writing down passwords, as long as you use
    reasonable care and some common sense.
    
    Do not put the written password (or list of them) in an obvious place
    (e.g., do not scratch the SYSTEM password into the plastic on the
    system console). Do not write down the system name or username that is
    associated with the password.
    
    When I forget a password, I usually draw a complete blank. So my
    written list has only enough of the passwords to jog my memory, but not
    enough to allow an intruder to use them. I don't keep the list in my
    wallet, but that would certainly be a reasonable place...
    
    JP

    Nasser:
    
    There are those (not me!) who would argue that someones 15 character
    password should be made up of 2-4 groupings of words.  For instance,
    one of my old passwords was: ibmpersonalcomputer.  Three words
    (ibm)(personal)(computer).  For me it's easier to remember then some
    randomly generated 8 character password (non-VMS generated).  Of
    course, now I go to bed and have bad dreams about little snippets of
    the English language!
    
    re: PINS and SecurID
    
    I agree with those who have said, "Hey, my ATM card only has a 4 digit
    PIN.  _That_ number protects my money!"  If everyone was issued a
    SecurID card, Kerberos was implemented network-wide, and the
    appropriate software was installed on all Enet machines, we could get
    away with _2_ pin numbers (one for regular access, one for access under
    duress).  Of course the card cost just a tad of $50, so scratch that
    idea! :)
    
    My biggest b*tch is our front door combo.  We have the ?ACS? access
    cards that you have to swipe, a camera pointing at the door, _and_ a
    cyperlock that we have to change the number on each time someone
    leaves.  I can [sorta] see the logic behind changing the combo for
    security reasons, but without an access card, there's no way in.  I
    assume we collect these cards when employees or contractors leave. 
    When your work only lets you get by the office before or after hours,
    and if you don't know the new combo...
    
    Oh well, enough b*tching,
    
    --- Gavin

    A couple comments --  
    
    (1) SecurID cards -- if they cost ~$50 each, that's BEFORE any bulk
    discounts, I'll wager.  And how much wasted motion might we save? 
    (updating, distributing, prohibiting the writing down of, administering
    lost...  passwords)  Might that be worth throwing into the mix
    (assuming we return to profitability such that cash resources liquefy a
    bit)?  How much is EasyNet and mobile notebook data security worth?
    
    (2) Re the ACS> Swipe-cards...  Wouldn't it be nice if your SmartCard
    had a radio or IR link with the door...?  Why carry two tokens, one for
    door-opening and another for electronic-access-authenticating?  It's
    not here yet, but it's past the gleam-in-the-eye stage in the lab.
    
    Your note didn't sound like "b*tching" to me, it sounded constructive. 
    Frustrated, but thoughtful.                                            Dan

Re: a few back & the use of "passsentences"

How about using "pass verses" - ie pick a poem, use one line one month, the 
next line the next month etc

    I pick a new word from a language I would like to learn.   It helps to
    use a language with long words in it, like German, but failing that you
    could use a short phrase.
    
    Make those pesky expiring passwords into a vocabulary builder.
    
    Last month's password: "hopitutuqayi"

    At my customers site people are issued a random number as username and
    then have to pick one of the VMS generated passwords.  No wonder people
    prefer PC's.
    
    I think of a phrase or song lyrics and then use the first letter of
    each word.  It is suprisingly easy to type in, but even if someone sees
    you type it in they have trouble remembering it.
    
    gtbfmbdbtsfb  for example.
    /joel
    

    I said "like German", because I thought more people would be familiar
    with what those words look like.   The language I am actually using
    is Hopi.   My password from last month means more or less "he is
    learning Hopi".   Like German, the Hopi language sticks lots of
    modifiers onto root words, resulting in some pretty long
    conglomerations.

    Or you could use place names like the Welsh:
    
     LLanfairpwllgwyngychgogerychchwyndroblllantyssilogogogoch
    
    (probably spelt incorrectly)
    
    There's a Maori place name that's considerably longer.
    
    Colin
    

    
    

>     LLanfairpwllgwyngychgogerychchwyndroblllantyssilogogogoch

      Chargoggagoggmanchaugagoggchaubunagungamaug    

      was always my favorite. It's a lake in Webster, MA.

    
    This is probably what lies behind the legend of Prince Madoc
    and the Indians.  An old Welsh tale about a Prince who sailed West,
    somehow missed Ireland and landed in the US.  Left a trail of
    Welsh-speaking native Americans according to the tale.
    
    Sorry for the digression....
    
    Colin
    

    RE .44 - gtbfmbdbtsfb ...
    
    San Francisco Bay Blues ?
    
    -- Kenny House

    .48 

>    Or you could use place names like the Welsh:
>     LLanfairpwllgwyngychgogerychchwyndroblllantyssilogogogoch
>    (probably spelt incorrectly)
>    There's a Maori place name that's considerably longer.

    .49

    > Chargoggagoggmanchaugagoggchaubunagungamaug
    > was always my favorite. It's a lake in Webster, MA.

    ok guys, are you pulling our feet this morning or what??

    i know i was not born yesterday, there is no way a place can be called
    like this. how will some one lost ask for directions with a name like
    this?

    i bet you 5 boiled eggs no one can pronounce these words let alone have
    them a password for a secure system too.

    \bye
    \nasser

Nasser,

Lake Chargoggagoggmanchaugagoggchaubunagungamaug does indeed exist.  In fact,
there is or used to be a soft drink company in Webster that spelled the name out
on their soda bottles.

The lake does not, however, have a rathole like this topic does.

Paul

    When my oldest daughter was in fifth grade, she did a report on
    Massachusetts.  I had suggested that she find a little known item of
    interest to begin her report.  She did so, mentioning Lake Charg... and
    giving the translation:  "You fish on your side; we fish on our side;
    nobody fish in the middle."
    
    

    
    Re: .52
    
    The place name in Wales is no joke either.  It exists and is
    world famous for its long name.
    
    Steve
    

    
    re: the ratholes on Lake c........
    
    ...and it's a nice digression at that.  
    
    "jackin' the house", Bob

|    re: the ratholes on Lake c........
|    ...and it's a nice digression at that.  

'specially on a nice hot day kicked back in a canoe...a long line
of mono off to that log....a BiG lunker coming up out of the goo...

    .51
    
    Right, but that was last months password.
    /j

    As long as we're doing passwords in non-English, may I suggest:
    
    	S O C K S
    
    which, as most American radio listeners know, is Spanish for "That's
    what it is"  ;^)
    
    	Stu

>   	S O C K S
>    
>    which, as most American radio listeners know, is Spanish for "That's
>    what it is"  ;^)
    
    Of course if you heard the first set of commercials pitching S O C K S
    they had it translated as "that's what I want".
    
      John

    I was working at DEC site where one of the security people suggested
    that we force 15 character, machine-generated on people. 
    
    Having studied some computer crime case studies, I've noticed that
    many intruders just look around (scavenge) after hours and find
    passwords written under keyboards, on terminals, in telephone
    directories, etc.  So, I asked Peter G Neumann of the ACM RISKS Forum
    if he knew which password length might be the turning point where the
    increase in password length actually degraded security.  My guess is
    that the password length at which increasing the length actually
    degrades security rather than increases it is somewhere between 6-10 
    characters.  15 characters is so absurd that Peter G Neumann wouldn't
    even print it as bad example.  I've included Peter's reply at the end 
    of this.  It's very interesting to see how one of the World's greatest 
    experts in computer security uses the word "absurd" to describe 15 
    character passwords.  
    
    If random guessing were the only possible attack on computer security, 
    then it would makes sense.  But, random guessing isn't the only
    unauthorized way into a computer system.
    
    How much longer can Digital stay in business if our corporate security
    rules increase our internal costs without increasing benefits?  
    
                                     Kurt
    
    Here is Peter G Neumann's reply:
    
From:	DECSRC::"risks@csl.sri.com" "RISKS Forum  10-Nov-89 0858 PST" 10-NOV-1989 11:59:46.53
To:	rita::hyde (Migratory Database Worker 264-3839 MKO1-1/B02)
CC:	
Subj:	Re: Password Security And Common Sense 

15+ characters is absurd.
Passwords are intrinsically not secure, because there are so many ways of
compromising them without trying random attacks:
  * written down (especially if that long)
  * exposed (e.g., via unencrypted network communications)
  * sharing among people
  * multiply used passwords
  * implicit authentication (e.g., stored inside a macro or program)
  * guessable (although you can avoid dictionary words)
  * preencryptive attacks (e.g., based on dictionaries, initials, etc.)
  * replay of captured authenticators (encrypted or not)
  * trapdoors
and so on.  You might consider token authenticators before going to
15-digit passwords.  Peter
 
========================================================================
Received: from decwrl.dec.com by src.pa.dec.com (5.54.5/4.7.34)
	for rita::hyde; id AA03701; Fri, 10 Nov 89 09:01:13 PST
Received: by decwrl.dec.com; id AA06579; Fri, 10 Nov 89 08:59:54 -0800
Received: by hercules.csl.sri.com at Fri, 10 Nov 89 08:58:55 -0800.
	(5.61.14/XIDA-1.2.8.35) id AA05701 for hyde%rita.DEC@src.dec.com
In-Reply-To: Your message of Fri, 10 Nov 89 08:08:49 PST 
Message-Id: <CMM.0.88.626720334.risks@hercules.csl.sri.com>
    

 .61> and so on.  You might consider token authenticators before going to
 .61> 15-digit passwords.  Peter
    
    Yes!  _vide_ 2377.26, .41; and we'd get more potential benefits from
    token authenticators than then just the reduction/elimination of
    escalating-length password hassles; we'd get increased mobile PC
    security plus a means for authentication of access to other electronic
    media, as well...
    
    Dan
    

    when i leave my apt. i lock my PeeCee with the key. it comes with a key
    you lock the keyboard with it, no one case use it. the PeeCee wont even
    complete the boot with the key locked.

    i feel much save when i do that, much better than a password,
    i just take the key with me wherever i go knowing my PeeCee is save
    and sound.

    that is why iam starting to like PeeCee's they are so easy to use
    too and you cant believe how much software there is for them, and very
    nice too, except they seem to crash too much on you if you do something too
    complicated, i ordered more memory for mine so i hope this will help,
    i save my work every 5 minutes so that if it crashes i dont lose too
    much work. i think when PeeCees software become more reliable and
    resilient PeeCees will be even more important than they are already.

    \bye
    \nasser

  
    re "Absurd 15"
    
    Psychologists refer to the memory limit it as "the magical number
    seven, plus or minus 2" to reflect the fact that many people have
    problems with even a 5 digit sequence under certain circumstances. 
    This is one of the reasons why ATM cards use 4 digits - the cost of a
    workload on bank support desks just wasn't worth writing off the
    potential costs of fraud.  That is, more people would forget their
    number and require new cards more frequently.

    But this capacity guideline is based on the concept of "chunking" data
    in human information processing, so (in theory) we can remember a five
    word password as easily as a five digit. Since the early work on this
    by researchers like Ebbinghaus back in the 1800's, psychologists have
    identified several techniques for improving your memory to cope with a
    series of passwords.   I have five accounts that I use, plus other
    passwords for Voicemail etc.  I basically use the same information for
    all passwords, chunked and reorganised for each application.  This
    means that I only have to recall one basic sequence.   

    When a password expires, I can reorganise it.  When all possibilities
    are reorganised, I choose another sequence and create the individual
    passwords from it. This technique makes use of a very simple memory
    technique - the act of manipulating the information transfers it from
    short term memory to long term memory in a more efficient way than rote
    learning. Another good technique already mentioned is to use a poem,
    where the rhyme reinforces remembering.  If you know some particularly
    fruity limericks, any penchant for obscenity in passwords can be
    maintained easily!

    These are simple techniques and the information is in the
    public domain.  Perhaps we should include them in our product user
    information.

    However, this whole concept of passwords is becoming outmoded.  As PC's
    become more common, the stylus will replace the keyboard, another
    major barrier to computer access.  In these machines the user will
    simply use the most familiar  security measure - their signature.
    The portable system will be highly secure because it will only react
    to authorised persons handwriting.  To prevent forgery, the system will
    not simply template the characters, but also extract mathematical and
    temporal constants from writing dynamics - things that cannot be forged
    like a conventional signature.
    
    Regards,
    
    Colin
    
    PS:  Einstein explained why he did not know his own telephone number.
    He said that he did not want to clutter his mind with trivialities so
    that he could devote more of it to creative thinking - it's a trait he
    shares with many thinkers.  Although one of his successors, Stephen
    Hawking, has a prodigious memory and was once able to dictate over 20
    pages of complex mathematical equations from memory.
                      

re: .63

Should I find myself in your apartment while you're not at home (lusting 
after the data in your PeeCee), the fact that you have the key will not 
deter me in the least from absconding with the box and, using a 
screwdriver, having my way with it later.

Al

    >Although one of his successors, Stephen Hawking, has a prodigious 
    >memory and was once able to dictate over 20
    >pages of complex mathematical equations from memory.

    there is also Euler, the most amazing scientific memory in the history
    of man kind, Euler got blind half way through his life, yet he 
    kept publishing as much as before, almost 700 papers and books in his
    life time, he knew by memory most of the mathematical formulas
    and did all the publication after he got blind just by doing all
    the calculation in his brain only.

    that was almost 180  or so years ago . he did not even use a PeeCee or
    any computer and he did not even need a password !

    i can also dictate over 20 pages of complex equations from memory,
    as long as they dont have to be correct equations. 

    well. hope this helps.

    \bye
    \nasser

    .65
>Should I find myself in your apartment while you're not at home (lusting 
>after the data in your PeeCee), the fact that you have the key will not 
>deter me in the least from absconding with the box and, using a 
>screwdriver, having my way with it later.

    i think my PeeCee is designed to detente when any one tries to temper
    with it without the proper key usage to unlock it .

    i also backup my PeeCee data every 2 hours on my little tape backup
    tape drive.

    hope this help.

    \bye
    \nasser
    ps. also i think my neighbors have a little doggy in their apt that will
    park very loud when any stranger is in site.


    

    _Pace_ Ebbinghaus, but imho the solution to problem with multiple
    passwords is NOT improved mnemonic techniques, such as you have devised
    (and of which you are mentally capable).  I'm sure you're aware that
    you're in the extreme minority of folks with the "mental pigeonhole
    space" to carry such low-content information, because you're good at
    embellishing it with whatever works for you to add memorability to it. 
    Others, unable to cope in that way, write 'em down and/or bug their
    System Administrators when they lose 'em.  And if the various systems
    IMPOSE their own machine-generated passwords, so that folks lose the
    ability to synchronize or string together the info, sometimes they come
    after the SAs with sharp poignant sticks. :-)

    (-: Reminds me of one of my favorite moments from my grad student days
    at Brown -- when the Psych Department convened for the first time after
    I matriculated there, we all "went around the room" doing intros and
    short sketches of our areas of research and teaching interest.  One
    fellow whose research involved computerized studies of human memory
    along the lines of Ebbinghaus' research in the 1880's got up and said
    "My name is Art Reber, and I teach nonsense to Freshmen -- one syllable
    at a time." :-)

    And regarding signature access to pen-based PCs by pattern- and
    writing-dynamics recognition -- no quarrel that such authentication
    may well be possible (and even available now?), but here's a "followup
    question" regarding security for such a unit.  

    Say I "stylus-authorize" my way into my wirelessly-connected notebook
    or PDA, and through it I access my home-base data server.  I'm "logged
    in" to my corporate EasyNet...  and then my PDA gets lost or (worse!)
    ripped off.  How long does the authorized data connection last?  What
    damage can be done to my home-base data, and/or what can be copied out,
    until I report it stolen?  And what of the data directly ON the unit? 
    How long does IT remain accessible to the hands of the finder/thief?
                   
    Dan
    

    
    
    Nasser, 
    
    
    	You and your PeeCee didn't happen to go for a little walk in New
    York did you?  Like around last Friday?
    
    Ken
    

    
    .68
    
    You're right - a definite case of "it works for me!".   (Hence the
    example from ATMs, which was designed to cater to the "lowest common
    factor".)  But I wasn't advocating mnemonic strategies in support of 15
    char passwords, only as a possible solution to an existing dilemma. 
    There are much simpler techniques that people can use that would only
    take a page of online help to describe!  Don't ask me what they are.
    I can't remember them...... ;-)
    
    
    Otherwise, I agree with the contention that 15 char passwords are
    counterproductive, but maybe a necessary evil.
    
    
    Many thanks for the "pen input" - I'll work it into my model!
    
    
    Regards,
                
    Colin
    

Re:        <<< Note 2377.67 by STAR::ABBASI "i think iam psychic" >>>

>    i think my PeeCee is designed to detente when any one tries to temper
>    with it without the proper key usage to unlock it .

It would seem that the PC you're using here doesn't have a spell/grammer
checker, right?  :-)  :-)

-  David

    
    
> It would seem that the PC you're using here doesn't have a spell/grammer
> checker, right?  :-)  :-)
    
    Hey, he's pretty good at speaking our language.  Question is,
    can *we* speak his?  :-}
    
    Colin

    You haven't yet figured out the keen wit that Nassar has? I bet he
    has better grammar than most of us, myself included. English was
    far down my list of favorite subjects.
    
    Read between the lines and laugh along. I know he cheers my day up
    now and then.
    
    Jim C.
    

  Re singature-access stylus PC's: it sounds like if you break your writing
arm, you can't access your PC because your signature will look bogus. Also,
if you can use your signature to access the computer at work, how does the
system manager de-authorize you when you leave the company?

    re: .74
    
    My rebuttal to this is:
    
    1) You break your arm skiing over the weekend
    
    2) Monday [afternoon] you call the office and indicate you'll be out
    for a while
    
    3) A few days later you go on STD (per company policy)
    
    4) A new and improved version of DECinspect notices your account hasn't
    been accessed for the past 2+ weeks, and notifies the SM
    
    5) The SM, per company policy, deletes your account (and the latest
    build of VMS) due to the fact you've obviously been TFSO'd
    
    6) You get the cast removed, and return to work on a Monday
    
    7) You notice the absence of your account, the hate memo from the rest
    of the VMS team, and the lack of any expense voucher reimbursments (no
    account, no way to have the e-mail notifications sent out)
    
    8) You call personnell, travel, finance, and make up with the VMS team
    "It was all a terrible mistake"
    
    9) Your boss comes in [afternoon] and says, "I thought you were
    TFSO'd?"
    
    10) You arrive at the hospital with a broken hand due to hitting your
    boss
    
    11) goto step 1
    
    --- Gavin
    
    (sorry, but a lot of thoughts came together and had to expressed)
    
    :) :) :) :) (for da humor impaired)

    
    RE: .72
    
    >>>Hey, he's pretty good at speaking our language.  Question is,
    >>>can *we* speak his? :-}
    
    *WE* are not in his land...*HE* is in ours.  If we go to his land
    then we should be able to communicate at least as well there as /Nasser
    does here. 
    
    

re: .76

Did you miss the smiley-face in .72?

Bob