Security Basics mailing list archives
Re: Linking Password Length to Write-down probability
From: Doug.Janelle () Thermo com
Date: Thu, 26 May 2005 16:09:40 -0400
It seems obvious that the longer/more complex the password, the more likely the user is to write it down, so I'm not sure that such a study would really yield any new insight. What I've taken to doing is stressing the idea of a passphrase instead of a password, then using the initial letters of each word, and mixing caps.other characters as needed for complexity, so: "My dog used to have fleas but he ate them" becomes "Mdu2Hfbh8T" 10 characters, rather than 8, upper-lower-numeric, but still a password the user can be reasonably expected to remember. dcj2 Stian
Øvrevåge <sovrevage () gmail com> on 05/26/2005 05:06:42 AM Please respond to Stian Øvrevåge <sovrevage () gmail com> To: security-basics () securityfocus com cc: (bcc: Doug Janelle/Inc/Jouan) Subject: Linking Password Length to Write-down probability
God morning list! I continually read papers which advertise increased password lenghts ( and outrageous complexity requirements ) as The Solution(TM). I work in a fairly large organization and I can safely acknowledge that even 8 character passwords with moderate complexity requirements are VERY prone to beeing written un-encrypted and un-hashed on Post-Its, and then safely contained, under the keyboard, or on the monitor. Which in my humble oppinion is bordering to "stupid security". I'm certain that there is a link between required password lenght and complexity and the probability of users taking the huge leap backwards and writing passwords down. I've been doing a little Googling, but I can't seem to find any scientific analytical/statistical research done on this particular subject. Is anyone out there aware of any works done in this field? If not, is there anyone intrested in conducting such a survey on the behalf of the community? Regards, Stian
Current thread:
- Linking Password Length to Write-down probability Stian Øvrevåge (May 26)
- RE: Linking Password Length to Write-down probability Ryan Platt (May 27)
- Re: Linking Password Length to Write-down probability Gonzalo Martinez (May 27)
- Re: Linking Password Length to Write-down probability Nick Owen (May 30)
- RE: Linking Password Length to Write-down probability Andrew Aris (May 31)
- Re: Linking Password Length to Write-down probability Nick Owen (May 30)
- RE: Linking Password Length to Write-down probability Miguel Dilaj (May 27)
- Re: Linking Password Length to Write-down probability Nick Owen (May 30)
- Re: Linking Password Length to Write-down probability Mihai Amarandei (May 30)
- <Possible follow-ups>
- Re: Linking Password Length to Write-down probability Doug . Janelle (May 27)
- Re: Linking Password Length to Write-down probability Dan Tesch (May 30)
- RE: Linking Password Length to Write-down probability Bob Kurth (May 27)
- Re: Linking Password Length to Write-down probability John Blackley (May 27)
- RE: Linking Password Length to Write-down probability KWajda (May 30)
- Re: Linking Password Length to Write-down probability Doug . Janelle (May 30)
- Re: Linking Password Length to Write-down probability Mark Burnett (May 30)