An interesting morning, not bad given that it isn’t 0915 yet. Anyways, I’ve just read some fascinating articles…
A guy I work with had been asking about how to figure out the entropy of a password. This is, put simply, measuring the disorder of a password – the more disordered, the harder it is to predict. And this is very hard to do, for reasons I’ll explain some other time.
Anyways, we then discussed passphrases. Instead of being a word like ‘Bgc4$4q2’ or something equally obscure, you use a phrase that would be difficult to reproduce – ‘Eat flying doughnut on Thursday’. This is still difficult to figure out the entropy for – you could choose an easily predicted password (e.g. ‘In the beginning God created the heaven and the earth’) – but is generally more secure.
So this morning I read a fascinating article by a guy from Microsoft PSS Security about passphrases. Worth a look for all techies, certainly I’ll be looking at using passphrases from here on.
I’ve also just read an article about how authentication never expires in e-commerce sites. An interesting point – it should be possible to terminate accounts on e-commerce sites. I mean, if you don’t, if the account is still valid, then your details could be used. But I can’t say that I know of a way to go to Amazon and tell them to disable my account.
I guess one option would be that if an account just hasn’t seen any activity in a while, you send out an email warning of it’s impending shutdown. If there is no response, close it down. Not perfect, but you’re making the window for the abuse of that username/password smaller.
And lastly, there is an article on why secret questions are a bad idea for password recovery. Basically, it’s the old ‘Security is as good as it’s weakest link’. Never liked these things anyway.