Re: Strong Passwords Revisited

From: Lawrence DčOliveiro (ldo@geek-central.gen.new_zealand)
Date: 02/14/03 

From: Lawrence DčOliveiro <ldo@geek-central.gen.new_zealand>
Date: Fri, 14 Feb 2003 23:53:39 +1300

In article <kfjX9.27575$7_.109525@news1.mts.net>, "Jeff Williams"
<frostback1963@yahoo.com> wrote:

>One problem with "strong" passwords is that they're very hard to remember.
>"zucchini" is easy to remember. "*&cFho4#" is, for most people I know, hard
>to remember. What are such people likely to do with hard passwords?
>They're going to write them down (and often post them on a yellow sticky on
>their freakin' monitor). This is not very good from a security perspective.
>
>I've often wondered why passwords seem to be limited to 8 or 10 characters.
>Why not limit them to, say, 32 or 64 characters and let people use phrases
>that they can easily remember? Many people have a vast repository of
>remembered pop songs. Others memorize scripture or poetry. Such phrases do
>serious damage to the concept of dictionary attacks as well as to BFI
>attacks.

Trouble is, even though there may be millions of potential lines of song
lyrics, poetry or whatever out there, people will tend to pick the most
memorable ones. That means that some lines and phrases will end up being
highly popular, while most of the rest are hardly used at all. What's
the bet that some large fraction of people will use "to be or not to
be", just for instance?

I thought of a sort of compromise idea: choosing a single random word
from a dictionary is a bad idea, but what if you choose multiple random
words?

Consider a modestly-sized dictionary of just 10,000 English words. If
you choose 3 words at random, you end up with 10^12 possibilities. This
is not far short of the possibilities with choosing 8 completely random
letters and digits (about 2.8 * 10^12 possibilities).

Of course, the point is that the choices really must be random. "three
blind mice" would be a bad choice, while "invigorate gargantuan colour"
would be a much better choice--the less meaningful the phrase is, the
better. The question is, would it still be feasible for users to
remember such random phrases without writing them down, given that they
are just a short sequence of ordinary words?

Relevant Pages

  • Re: Strong Passwords Revisited
    ... What are such people likely to do with hard passwords? ... >Why not limit them to, say, 32 or 64 characters and let people use phrases ... >serious damage to the concept of dictionary attacks as well as to BFI ... I thought of a sort of compromise idea: choosing a single random word ...
    (alt.computer.security)
  • Re: Strong Passwords Revisited
    ... What are such people likely to do with hard passwords? ... >Why not limit them to, say, 32 or 64 characters and let people use phrases ... >serious damage to the concept of dictionary attacks as well as to BFI ... I thought of a sort of compromise idea: choosing a single random word ...
    (microsoft.public.win2000.security)
  • Re: Strong Passwords Revisited
    ... What are such people likely to do with hard passwords? ... >Why not limit them to, say, 32 or 64 characters and let people use phrases ... >serious damage to the concept of dictionary attacks as well as to BFI ... I thought of a sort of compromise idea: choosing a single random word ...
    (comp.security.misc)
  • Re: Strong Passwords Revisited
    ... I tell my people the best passwords are acronyms of phrases that mean ... nothing to anyone else plus a number that has some personal meaning. ... > is not far short of the possibilities with choosing 8 completely random ...
    (alt.computer.security)
  • Re: Strong Passwords Revisited
    ... I tell my people the best passwords are acronyms of phrases that mean ... nothing to anyone else plus a number that has some personal meaning. ... > is not far short of the possibilities with choosing 8 completely random ...
    (comp.os.ms-windows.nt.admin.security)