Re: Strong Passwords Revisited
From: Calvin Crumrine (nospam@example.net)
Date: 02/14/03
- Next message: The Thinker: "Re: Strong Passwords Revisited"
- Previous message: Walter Roberson: "Re: can my password be sniffed in this situation ?"
- In reply to: Mimic: "Re: Strong Passwords Revisited"
- Next in thread: The Thinker: "Re: Strong Passwords Revisited"
- Reply: The Thinker: "Re: Strong Passwords Revisited"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Calvin Crumrine <nospam@example.net> Date: Fri, 14 Feb 2003 10:20:41 -0900
Mimic wrote:
> note: from a psychology perspective, people remember 7 +/- 2 (5-9 chars).
> As for the 32/64 chars, this gives a much larger area for error, people may
> type there passwords in slower (risk: shoulder surfing)
> or still write them down, with a system that allows 3 invalid login attempts
> and the error margin in a 64 char password, people will probably end up
> getting locked out alot, causing problems for the sysadmin and obscuring
> real attack attempts ina any log files. And like ...Lawrence said, a
> memorable line is going to be a common/well known line.
Two other issues we deal with here are different aspects of password
expiration. If passwords expire too frequently then even the 'memorable'
line causes problems-users must come up with too many memorable lines &
often can't remember which is their current one.
If the password is to a system that is only used occasionally then it's
also difficult to remember. Using the same password doesn't help, unless
the user remembers to log into that occasional use system (or systems)
simply to change the password whenever they change their 'regular'
system password. And that seldom happens.
The result is that each time the user accesses that occasional use
system their password is expired. But to change it they must enter their
old password which is often their 'regular' password from about 3
changes back! Now the user must not only remember which 'memorable' line
is their current password, but also which ones were their last few
passwords. What a mess! No wonder they tend to write these down.
Don't have any solutions, but thought I'd throw out these problems for
consideration.
- Next message: The Thinker: "Re: Strong Passwords Revisited"
- Previous message: Walter Roberson: "Re: can my password be sniffed in this situation ?"
- In reply to: Mimic: "Re: Strong Passwords Revisited"
- Next in thread: The Thinker: "Re: Strong Passwords Revisited"
- Reply: The Thinker: "Re: Strong Passwords Revisited"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
