5 comments

[ 2.6 ms ] story [ 21.9 ms ] thread

  You don't have permission to access /programs/twonz.html on this server.
That's actually a passphrase.
403'd. Also, venge.net is apache test page.

6 points, 1 hour ago? Let's hope that's because those are legit upvotes before the site went down.

(comment deleted)
It requires a pass phrase. On a related note, I remember reading an article that had some interesting things to say about password security. I tried to find it, but I ended up with this blog post that does not include the derived "millions of years" numbers: http://blogs.technet.com/b/robert_hensing/archive/2004/07/28...

The main point is to use a pass phrase. You can satisfy almost everyone if you make sure to include some caps and numbers in it where it makes sense. The original article I read determined that it was sufficient to have a phrase of at least three plain English words! The blog post goes over the WHYs.

So I am suggesting: if you are going to put a pass phrase into this software in the first place, just use the pass phrase.

The only trouble here is that you need a backup plan. Sysadmins like to make you change your password periodically, and this policy differs for every system you use, so you have to somehow remember your new passwords/pass phrases along with which sites have your old passes.

The sysadmins have good reason: what if someone DID figure out your password/pass phrase? and what if you did not know it? Changing it cuts off the enemy's access, yes, but if there is a pattern to your choice of phrase across sites, you are in trouble.

So how do we solve the problem of making passwords/phrases easy to remember, easy to change, and super hard to crack?