Re: Password Psychology

Booted Cat wrote:

[...] For example, a person
would usually use names or numbers in his daily life as part of his
password, such as a relative's birthday or phone number.

Gathered enough social information of a person, we might have a high
success ratio in cracking a person's password.

This last paragraph is completely senseless --- well, depending on the
context; if you're talking about guessing the password in a very small
amount *of attempts*, then yes, you'd need some personal information to
guess. But if we're talking about guessing the password in a small
amount *of time*, then no need.

Precisely, people use birthdates (as an example) of their relatives
(presumably the currently alive relatives). Ok, so you do not need to
guess whose birthdate the person chose --- you don't need to go and
figure out if it was their spouse, or their younger child, or the
older child, or their niece, or uncle... No, you simply try all
possible birthdates --- in fact, you try *dates*; you don't even
care if it is a birthdate, or a wedding anniversary, or the day you
graduated, etc. There aren't that many! Only 365 each year, and
you should have very good odds if you try for the past 50 years;
100, if you want to cover most possibilities.

On the same token --- peopl also choose *names* of their relatives
or friends; you don't need to guess if the person is choosing the
name of their highschool sweetheart, or their spouse, or the name of
their first grand child --- you simply try names!!! If I was dumb
enough to use the name of my wife (under the mistaken logic that
"who would know that my wife's name is Anne, and who would guess
that I chose *my wife's name* as my password?"), then you will guess
it without having to know or guess that it is *my wife's name* the
one I chose for my password. Anne simply happens to be on the list
of 5000 names that you have.