Re: Linking Password Length to Write-down probability

• Previous message: Ryan Platt: "RE: Linking Password Length to Write-down probability"
• Maybe in reply to: Stian Øvrevåge: "Linking Password Length to Write-down probability"
• Next in thread: Dan Tesch: "Re: Linking Password Length to Write-down probability"
• Reply: Dan Tesch: "Re: Linking Password Length to Write-down probability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Stian Qvrev=E5ge?= <sovrevage@gmail.com>
Date: Thu, 26 May 2005 16:09:40 -0400

It seems obvious that the longer/more complex the
password, the more likely the user is to write it down,
so I'm not sure that such a study would really yield any
new insight. What I've taken to doing is stressing the idea
of a passphrase instead of a password, then using the
initial letters of each word, and mixing caps.other characters
as needed for complexity, so:

"My dog used to have fleas but he ate them" becomes "Mdu2Hfbh8T"

10 characters, rather than 8, upper-lower-numeric, but still a
password the user can be reasonably expected to remember.

dcj2

Stian

Øvrevåge <sovrevage@gmail.com> on 05/26/2005 05:06:42 AM

Please respond to Stian Øvrevåge <sovrevage@gmail.com>

To: security-basics@securityfocus.com
cc: (bcc: Doug Janelle/Inc/Jouan)

Subject: Linking Password Length to Write-down probability

God morning list!

I continually read papers which advertise increased password lenghts (
and outrageous complexity requirements ) as The Solution(TM). I work
in a fairly large organization and I can safely acknowledge that even
8 character passwords with moderate complexity requirements are VERY
prone to beeing written un-encrypted and un-hashed on Post-Its, and
then safely contained, under the keyboard, or on the monitor. Which in
my humble oppinion is bordering to "stupid security".

I'm certain that there is a link between required password lenght and
complexity and the probability of users taking the huge leap backwards
and writing passwords down.

I've been doing a little Googling, but I can't seem to find any
scientific analytical/statistical research done on this particular
subject. Is anyone out there aware of any works done in this field? If
not, is there anyone intrested in conducting such a survey on the
behalf of the community?

Regards, Stian

• Previous message: Ryan Platt: "RE: Linking Password Length to Write-down probability"
• Maybe in reply to: Stian Øvrevåge: "Linking Password Length to Write-down probability"
• Next in thread: Dan Tesch: "Re: Linking Password Length to Write-down probability"
• Reply: Dan Tesch: "Re: Linking Password Length to Write-down probability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]