Re: Strong Passwords Revisited

From: Calvin Crumrine (
Date: 02/14/03

From: Calvin Crumrine <>
Date: Fri, 14 Feb 2003 10:20:41 -0900

Mimic wrote:
> note: from a psychology perspective, people remember 7 +/- 2 (5-9 chars).
> As for the 32/64 chars, this gives a much larger area for error, people may
> type there passwords in slower (risk: shoulder surfing)
> or still write them down, with a system that allows 3 invalid login attempts
> and the error margin in a 64 char password, people will probably end up
> getting locked out alot, causing problems for the sysadmin and obscuring
> real attack attempts ina any log files. And like ...Lawrence said, a
> memorable line is going to be a common/well known line.

Two other issues we deal with here are different aspects of password
expiration. If passwords expire too frequently then even the 'memorable'
line causes problems-users must come up with too many memorable lines &
often can't remember which is their current one.

If the password is to a system that is only used occasionally then it's
also difficult to remember. Using the same password doesn't help, unless
the user remembers to log into that occasional use system (or systems)
simply to change the password whenever they change their 'regular'
system password. And that seldom happens.

The result is that each time the user accesses that occasional use
system their password is expired. But to change it they must enter their
old password which is often their 'regular' password from about 3
changes back! Now the user must not only remember which 'memorable' line
is their current password, but also which ones were their last few
passwords. What a mess! No wonder they tend to write these down.

Don't have any solutions, but thought I'd throw out these problems for