What should the password...

[Richard Meesters]

In article <MITCH.89Dec15104132 at hq.af.mil>, mitch at hq.af.mil (Mitchell..Wright) writes:
> I have heard the argument that "It is too hard to remember X number of
> passords".  Well, it's not - you just have to set up a system for yourself.  A
> system I used for a while was to take an acronym (ie. nasa) and combine it
> with a non-alphanumeric (ie. !) and append the hostname (first ~3 char).  For
> instance, my password on Podunk.edu might be "cuw*Podu".  Your acronyms can be
> as obscure as you want.  Using the hostname is probably not a good thing to
> use to vary your passwords since a cracker could probably figure that pattern
> out.  So using this concept one could make the password "P[cuw]u", to make the
> pattern less obvious or use a non-obvious varying part "cuw!07" where the "07"
> part might mean the 7th choice on your terminal emulators calling directory
> amongst other things.  Of course the real strength in this password scheme is
> not that the password are different, but that an acronym can be a very good
> password and a good acronym will only be "cracked" by an exhaustive search.

All this is a wonderful way of thinking up a password, but what happens
when it comes to password aging?  If you have to change your password as a 
result of aging, how do you change the pattern.  Do you have to come up with
a new acronym?  If so, you may find that it's just as hard to remember as any
other way that people can come up with.

I figure that how you set up your password schemes should depend on how much
security you want to build into your systems.  On my personal systems, I dont
use, nor do I want to be forced to use, password aging.  I don't think I have
any information that needs to be necessarily secured.  Unfortunately, as you
increase the level of security, you are going to increase the difficulty of
accessing the system for your users.  I just can't see any other way around
it.

Regards,
Richard Meesters