Re: Linking Password Length to Write-down probability

Doug.Janelle_at_Thermo.com
Date: 05/26/05

  • Next message: Micheal Espinola Jr: "Re: Network abuse report"
    To: Stian Qvrev=E5ge?= <sovrevage@gmail.com>
    Date: Thu, 26 May 2005 16:09:40 -0400
    
    
    

    It seems obvious that the longer/more complex the
    password, the more likely the user is to write it down,
    so I'm not sure that such a study would really yield any
    new insight. What I've taken to doing is stressing the idea
    of a passphrase instead of a password, then using the
    initial letters of each word, and mixing caps.other characters
    as needed for complexity, so:

    "My dog used to have fleas but he ate them" becomes "Mdu2Hfbh8T"

    10 characters, rather than 8, upper-lower-numeric, but still a
    password the user can be reasonably expected to remember.

    dcj2

    Stian

    
    

    Øvrevåge <sovrevage@gmail.com> on 05/26/2005 05:06:42 AM

    Please respond to Stian Øvrevåge <sovrevage@gmail.com>

    To: security-basics@securityfocus.com
    cc: (bcc: Doug Janelle/Inc/Jouan)

    Subject: Linking Password Length to Write-down probability

    
    

    God morning list!

    I continually read papers which advertise increased password lenghts (
    and outrageous complexity requirements ) as The Solution(TM). I work
    in a fairly large organization and I can safely acknowledge that even
    8 character passwords with moderate complexity requirements are VERY
    prone to beeing written un-encrypted and un-hashed on Post-Its, and
    then safely contained, under the keyboard, or on the monitor. Which in
    my humble oppinion is bordering to "stupid security".

    I'm certain that there is a link between required password lenght and
    complexity and the probability of users taking the huge leap backwards
    and writing passwords down.

    I've been doing a little Googling, but I can't seem to find any
    scientific analytical/statistical research done on this particular
    subject. Is anyone out there aware of any works done in this field? If
    not, is there anyone intrested in conducting such a survey on the
    behalf of the community?

    Regards, Stian


  • Next message: Micheal Espinola Jr: "Re: Network abuse report"

    Relevant Pages