RE: Linking Password Length to Write-down probability
From: Bob Kurth (Bob.Kurth_at_fcserv.com)
Date: 05/27/05
- Previous message: Smith, Ryan: "RE: help , scripting for security"
- Maybe in reply to: Stian Øvrevåge: "Linking Password Length to Write-down probability"
- Next in thread: John Blackley: "Re: Linking Password Length to Write-down probability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 May 2005 08:33:05 -0500 To: <security-basics@securityfocus.com>
Stian:
I have also been looking into this particular subject for differing reasons. I want to increase length and complexity requirements at my place of business, but management seems to think their employees are not smart enough to meet the task. From what I have been seeing in my googling, the consensus appears to be to move to the pass-phrase rather than a more complex password. Of course, a really good pass-phrase would meet all those complexity requirements (alphas, numerics, and special characters). Most of the Operating and Networking systems out there support moving to a string up to 128 characters long. The link below is another good source reference for this, but doesn't really answer your query of whether or not there have been studies comparing the length and complexity requirements to the probability of the end user writing their password down.
http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf
Robert Kurth, CISSP
-----Original Message-----
From: Stian Øvrevåge [mailto:sovrevage@gmail.com]
Sent: Thursday, May 26, 2005 4:07 AM
To: security-basics@securityfocus.com
Subject: Linking Password Length to Write-down probability
God morning list!
I continually read papers which advertise increased password lenghts (
and outrageous complexity requirements ) as The Solution(TM). I work
in a fairly large organization and I can safely acknowledge that even
8 character passwords with moderate complexity requirements are VERY
prone to beeing written un-encrypted and un-hashed on Post-Its, and
then safely contained, under the keyboard, or on the monitor. Which in
my humble oppinion is bordering to "stupid security".
I'm certain that there is a link between required password lenght and
complexity and the probability of users taking the huge leap backwards
and writing passwords down.
I've been doing a little Googling, but I can't seem to find any
scientific analytical/statistical research done on this particular
subject. Is anyone out there aware of any works done in this field? If
not, is there anyone intrested in conducting such a survey on the
behalf of the community?
Regards, Stian
- Previous message: Smith, Ryan: "RE: help , scripting for security"
- Maybe in reply to: Stian Øvrevåge: "Linking Password Length to Write-down probability"
- Next in thread: John Blackley: "Re: Linking Password Length to Write-down probability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
