Jesper's Blog

Obligatory file photo:

Welcome to Jesper Johansson's blog. This is my home for pontification on the web. In case this is your first time here, I have been working on information security for about 20 years, and have been writing and speaking on the topic for about 10. I am also a Microsoft MVP in Windows Security.
My most recent book is the Windows Server 2008 Security Resource Kit . Because I am also a scuba instructor you may find some posts related to that topic as well. Just because it took me so long to get it, I also like to say that I have a Ph.D. in Management Information Systems from the University of Minnesota.

Passwords are here to stay

At least for the short to medium term. That is the, quite obvious, conclusion drawn in a Newsweek article entitled "Building a Better Password." The article goes inside the CyLab at Carnegie-Mellon University to understand how passwords may one day be replaced. It is interesting reading all around.

The article is not without some "really?" moments though, such as this quote:

The idea of passphrases isn't new. But no one has ever told you about it, because over the years, complexity—mandating a mix of letters, numbers, and punctuation that AT&T researcher William Cheswick derides as "eye-of-newt, witches'-brew password fascism"—somehow became the sole determinant of password strength.

Actually, I do believe someone did tell you about it. Five years ago now, in fact.

Published Sat, Oct 10 2009 10:54 PM by jesper

Filed under: Security

Comments

# Larry Seltzer said on 11 October, 2009 05:28 AM

I wrote about it then too (www.eweek.com/.../Will-Passphrases-Foretell-the-Death-of-Pa55W0rd5 - and I probably linked to your article).

The problem with passphrases is that a lot of sites (Amazon i think is one) don't let you use a long-enough password or embed spaces.

# Mick said on 11 October, 2009 05:13 PM

Jesper.. The issue here isn't the text, it's the writer. My biggest pet hate is journo's writing about security when they have no experience in IT let alone Security. Typically this results in what we've seen here.. misinformation provided to the public. The Sydney Morning Herald in Australia continually do this as well and despite a constant complaints refuse to hire an IT or InfoSec Professional to pen their IT articles.

It doesn't matter how hard we work... our work is being undone by these clowns.

# Candee said on 12 October, 2009 07:02 AM

Indeed. I remember it well.

It was one (of many) practices I adopted as my own. And my told my users (and anyone else who would listen) about it.

Good work!

Candee

# admin said on 13 October, 2009 09:08 PM

Let me know if you get this?

Test.

Search

This Blog

Home

Community

Syndication

News

The Windows Server 2008 Security Resource Kit is available!
. You can also order it as part of the whole Windows Server 2008 Resource Kit and save some money.
Or, if you need to know about Vista instead, there is:

If you need a more general approach to help you Protect Your Windows Network, there is a book for that too

There is now a mobile version of the blog.

All postings are copyright Jesper M. Johansson or Steve Riley, in the year they were made. These postings are provided "AS IS" with no warranties, and confer no rights. All postings are the sole opinions of Jesper M. Johansson or Steve Riley and do not reflect any official opinion of anyone else with whom the poster(s) are affiliated or has been affiliated in the past. Use of included code samples is permitted for non-commercial use, with no warranties of fitness express or implied. All use of any information or code snippets posted in this blog at the user's sole risk. The blog site would like to thank www.ownwebnow.com and www.exchangedefender.com for their support.

Powered by Community Server (Commercial Edition), by Telligent Systems