padgett%tccslr.dnet@uvs1.orl.mmc.com (11/02/90)
Kim Martin's posting brings up a point that cannot be stressed too highly: BBS SYSOPs can read passwords on their board. While it is a pain to some extent to try to keep track of tens of systems/passwords, it can be reduced to an algoritm that has the advantage of not being vulnerable to dictionary searches. Without being overly specific, I use a four part password, one of which identifies if the system is internal, external commercial, or external BBS; another is a personal identifier for this cycle; and a third being an identifier for a specific location. This makes passwords easy for me to construct mentally (at most, just the location part needs to be recorded), and relatively secure so long as location patterns are avoided. Of course, for real security, dynamic one-time passwords using tokens are the answer. Padgett