Re: Linking Password Length to Write-down probability

[Mihai Amarandei <mihai () xmcopartners com>]

One idea in order to avoid post-it-passwords could come from something 
like the password generator Nic Wolff developed.
It works for generating and quickly accessing passwords for various 
Internet sites/domains.

In order to use it you need to remember one main password with which the 
algorithm produces a different password for every single domain.
To achieve this,  it concatenates the main password with the site name 
and it produces the MD5 hash of the resulting string. Simple, efficient 
and safe.

Disadvantages of this method is that someone who knows your main 
password knows all your different passwords. On the other side users 
tend to use the same password anyway, so this kind of exposure is 
present with the standard approach as well. Also, in order to regenerate 
passwords at log-in, you will have to retype your master password and 
that could be annoying.

The advantage is a different and virtually impossible to guess password 
for every different site. This concept can easily be adapted to other 
situations and provides strong cryptographic passwords.

My opinion is that remembering and keeping to yourself a good main 
password, even a passphrase like for example "I will not read /. 
everyday", is not such a difficult task. Also, retyping this master 
passwords becomes less annoying after 10 or so times.

Nic's page (http://angel.net/~nic/passwd.html) provides a nice 
javascript for this and there are also bookmarklets available 
(http://chris.zarate.org/passwd.txt) in order to facilitate the process.

Mihai Amarandei-Stavila - Xmco Partners
Consultant Sécurité / Test d'intrusion
tel  : 33 1 47 34 68 61
web  : http://www.xmcopartners.com
Villa Gabrielle 75015 PARIS

Personal Blog http://secinternship.blogspot.com



Stian Øvrevåge wrote:

> God morning list!
>
> I continually read papers which advertise increased password lenghts (
> and outrageous complexity requirements ) as The Solution(TM). I work
> in a fairly large organization and I can safely acknowledge that even
> 8 character passwords with moderate complexity requirements are VERY
> prone to beeing written un-encrypted and un-hashed on Post-Its, and
> then safely contained, under the keyboard, or on the monitor. Which in
> my humble oppinion is bordering to "stupid security".
>
> I'm certain that there is a link between required password lenght and
> complexity and the probability of users taking the huge leap backwards
> and writing passwords down.
>
> I've been doing a little Googling, but I can't seem to find any
> scientific analytical/statistical research done on this particular
> subject. Is anyone out there aware of any works done in this field? If
> not, is there anyone intrested in conducting such a survey on the
> behalf of the community?
>
> Regards, Stian
>
>