Sorry for wasting the time of you anal-retentive types, but I had to pass
this on for those with a sense of humor.
Flames to /dev/null
- r.w.
-----------------------------------------------------------------------
Paul Ashton <paul @
argo .
demon .
co .
uk>
Newsgroups: comp.security.unix
Subject: Advice on password security guidelines
Hi,
my boss has asked me for comments and improvements on his new password
security policy. To me, it seems a bit severe. If anyone can offer any
additional suggestions please do, here goes...
For immediate issue:
Password changing guidelines V2.2b
Due to new security policies, the following guidelines have
been issued to assist in choosing new passwords. Please follow
them closely.
Passwords must conform to at least 21 of the following attributes.
1. Minimum length 8 characters
2. Not in any dictionary.
3. No word or phrase bearing any connection to the holder.
4. Containing no characters in the ASCII character set.
5. No characters typeable on a Sun type 5 keyboard
6. No subset of one character or more must have appeared on
Usenet news, /dev/mem, rand(3), or the King James bible (version
0.1alpha)
7. Must be quantum theoretically secure, i.e. must automatically
change if observed (to protect against net sniffing).
8. Binary representation must not contain any of the sequences 00 01
10 11, commonly known about in hacker circles.
9. Be provably different from all other passwords on the internet.
10. Not be representable in any human language or written script.
11. Colour passwords must use a minimum 32 bit pallette.
12. Changed prior to every use.
13. Resistant to revelation under threat of physical violence.
14. Contain tissue samples of at least 3 vital organs.
15. Incontravertible by OJ Simpsons lawyers.
16. Undecodable by virtue of application of 0 way hash function.
17. Odourless, silent, invisible, tasteless, weightless, shapeless,
lacking form and inert.
18. Contain non-linear random S-boxes (without a backdoor).
19. Self-escrowable to enable authorities to capture kiddie-porn people
and baddies but not the goodies ("but we'll only decode it with a
court order, honest").
20. Not decryptable by exhaustive application of possible one time pads.
Due to the severity of the restrictions, if the password is entered
incorrectly 3 times at login time, you will be asked if you would like
to pick a new one.
Please add guidelines to the above and adjust the minimum conformation
requirement, if applicable.
|
|
