Quote: passwords should also provide mutual authentication, authenticated key exchange, and user identity protection [»haleS8_1999]

Quote: if the porter only admits people with invitations, we trust that admitted people have an invitation [»lost entries]

Quote: good passwords: word pairs with punctuation, pass phrase; avoid letter permutations; use proactive password checking

Quote: a pass phrase is a 5-10 word English phrase used as a password [»feldDC8_1989]

Quote: use a two part password, a long password on a slip of paper and a short one memorized [»schnB_2000]

Quote: one-time passwords written down as a list; store the list securely [»schnB_2000]

Quote: for a password a knitter might knit-and-purl 25 stitches; safe even from most onlookers [»haskJA8_1984]

Quote: pass-algorithms: instead of a password, let the computer present and manipulate data while the user remembers an algorithm [»haskJA8_1984]

Quote: a pass-algorithm could embed the subpassword data somewhere in the prompt [»haskJA8_1984]

Quote: the Plan 9 factotum handles the user's keys and security interactions; no cryptographic code in applications; like the SSH agent [»coxR8_2002]

Quote: require an interactive dialog before unlocking personal accounts; protects against host-resident attacks [»coxR8_2002]

Quote: can attack Plan 9's factotum by rebooting the server with a debugging kernel [»coxR8_2002]

Quote: authentication server can prevent password guessing attack; allows memorizable password [»haleS8_1999]

Quote: all strong password mechanisms use public-key techniques to resist password-guessing attacks; probably necessary [»haleS8_1999]

Quote: a call-back, prevents a site from masquerading as another site [»nowiDA8_1978]

Quote: UNIX uses encrypted passwords that include a random number assigned by the system to the user [»morrR11_1979, OK]

Quote: UNIX prevents key searching by encrypting password with a 12-bit random salt; so 4096 versions of each password [»morrR4_1978]

Quote: the Telecomputer includes a secret, built-in password as well as a user password [»morgC4_1982]

Quote: UNIX first used a cleartext password file with strong access protection; vulnerable when editing; lapse revealed all passwords [»morrR4_1978]

Quote: an intruder can replace the login command and capture passwords; avoid by challenge-response or a handheld authenticator [»bellSM10_1990]

Quote: nearly all cryptographic failures due to protocol or password deficiences; e.g., using nine random characters to protect PGP's private keys [»lensAK9_2001]

Quote: even in the CIA, only 85% of passwords are good [»zippJ6_2001]

Quote: in a week, identified 21% of the passwords from 15,000 accounts [»kleiDV5_1991]

Quote: on an unsecured system, can guess over 30% of the passwords by running large word lists through the crypt function [»feldDC8_1989]

Quote: conventional passwords are easily attacked: exhaustive search, guessing, dictionary, capturing unencrypted passwords, trapdoors, etc. [»neumPG4_1994]

Quote: performance of crypt password authentication increased from 4 per second in 1976 to 200,000 per second in 1999

Quote: UNIX password system for frustrating widespread password searches; super-user passwords already effective [»morrR4_1978]

Quote: crypts/sec/dollar has improved 10^5x in 10 years; need to increase password entropy to improve password security [»feldDC8_1989]

Quote: can exhaustively search passwords of 7-8 lower-case letters; if improvement repeats, will need 8 full-ASCII passwords in 10 years [»feldDC8_1989]

Quote: a precomputed password dictionary is 28x faster than real-time encryption [»feldDC8_1989]

Quote: use bcrypt and eksblowfish for adaptable cost encryption and password authentication [»provN6_1999]

Quote: password algorithm should not be faster outside of normal use; fast CPU instructions, no bit transposition, no pipelining, no precomputation [»provN6_1999]

Quote: it is important to change passwords because increasing the time available for cracking requires increased password entropy [»feldDC8_1989]

Quote: to avoid hardware DES attacks, UNIX randomly changes the E-table of the DES algorithm [»morrR4_1978]

Quote: use exponential key exchange to limit password-guessing assaults [»bellSM10_1990]

Quote: use two passwords; the 2nd one closes the account if too many errors; prevents exhaustive search and sabotage of service [»morsD1_1986]

Quote: the response to an invalid login should be identical to that for a valid one [»morrR11_1979]

Quote: defeat password guessing with a hash function that has numerous collisions for the correct data and only one checksum for modified data; change password whenever the data changes or an attack is detected [»lomaM1_1995]

Quote: passwords and security audits are no more than "security blankets" as long as hardware and software are vulnerable [»kargPA6_1974]

Quote: passwords are hard to maintain and reduce productivity; better to use short passwords that change yearly [»zippJ6_2001]

Quote: in Kerberos, all privileges depend ultimately on the user's typed password [»bellSM10_1990]

Quote: if a password system runs on a multi-user workstation, cached keys are accessible to attackers [»bellSM10_1990]

Quote: Unix password files do not authenticate the system to the user [»satyM8_1989]

Quote: Unix password files assumes physically secure communication