[Discuss] Most common (or Most important) privacy leaks

[sweetser at alum.mit.edu (Doug)]

My bad, here was my not-intended-to-be-private reply:

My passwords are 19 characters long (if possible).  Size is the important
issue for making passwords strong.  I don't type them in.  Instead I use
lastpass.  If I had to keep things secure, I would consider their
enterprise service.


"Letter count is a pointless factor in password security."

I don't think the math supports you on this one.  Compare these three:

whom
NtoU
UTap

to:

j885DK5Q0kqy88Sqm52
uKf98RjGre1yI27a59l
uKf98RjGre1yI27a59l

The first three were set with a length of 4 and made pronounceable.  The
later three are 19 characters long.  I recall an article that said quite
specifically that length was more important that choosing diverse
characters.

Employees will be people.  People's preferred passwords are password and
123456.  I can be certain a dedicated attack can crack that system.

Most companies don't have anyone that knows cryptography.  If you do have
such a person, it is hard to understand them.  I suspect lastpass is full
of such people who are every bit as paranoid as readers of this group.
Actually, probably more so since it is their entire job.  If you make
enforce strong encryption policy a necessary rule, and make it convenient
(even for use on the phone), then people will do it.  It is so much easier
to click on a button in the browser to make a password than think of one
and write it down.  That is how I wrote the email.

You also will need to revoke passwords once the employee has left.  Sounds
like a good job for software.  And because lastpass is making money selling
to enterprise clients, they can also provide nice reports for the business
types that have to pay for the service.