What should the password/security/userinfo/login system include?

[Peter da Silva]

In article <17451 at rpp386.cactus.org> jfh at rpp386.cactus.org (John F. Haugh II) writes:
> In an ideal world, yes, the ideal user would use 8 character random
> generated passwords.  However, studies show that more difficult
> passwords tend to be written down, and once people start writing
> down passwords, security goes out the window.

Isn't that implied by what I just said? I don't know where you get these
ideas. It's certainly not by reading what I wrote, and if it's by reading
my mind you've obviously got a noisy connection.

For "machine" read "administrative unit". Sure, use the same password
on all the workstations in your department, or all he computers at your
computer center. How many people have 30 or 40 accounts under different
umbrellas? Unless you mean BBSes... if you're worried about BBS security
I suggest you start by burning the floppies and fire a 45 through the
hard disk...

Security and convenience are orthogonal considerations. The more secure
your system, the less convenient it is to use. Outside of the paranoid
reality inhabited by the DoD and IBM, the sort of fascist tactics you're
suggesting (such as forcing people to choose new passwords that don't
match any old ones and avoid certain patterns) just aren't worth it.

And within it, they just make it harder for people to remember their
passwords. So they write them down.
-- 
`-_-' Peter da Silva. +1 713 274 5180. <peter at ficc.uu.net>.
 'U`  Also <peter at ficc.lonestar.org> or <peter at sugar.lonestar.org>.
"It was just dumb luck that Unix managed to break through the Stupidity Barrier
and become popular in spite of its inherent elegance." -- gavin at krypton.sgi.com