Re: Linking Password Length to Write-down probability

[Mark Burnett <mb () xato net>]

In-Reply-To: <20050527135957.21511.qmail () www securityfocus com>

There actually has been much research on what humans can memorize, and that is the basis for things like phone numbers 
and zip codes. If I recall correctly, most humans can easily remember 5-7 chunks of information.

Most people think that equates to a 5-7 character password but it could just as easily be a password composed of 5-7 
whole words.

There are also methods to make memorization easier, including patterns, using delimiters, personal connection, rhyme, 
tempo, meaning, offensiveness, humor, alliteration, palindromes, synonyms, antonyms, etc. 

If someone can memorize a line to a song, they certainly can handle a 5-7 word passphrase.

For example, how many users would have to write down a password like "Grandma has 2 hairy legs." That password 
certainly would meet even the most demanding company policy, likely will never appear on any wordlist, but it is easy 
to remember. Even better: "Grandma () 2-hairy-legs com"

The problem with most user passwords isn't the complexity or whether they write them down or not, its that most people 
simply don't know how to create strong passwords that are easy to remember. 

If you are worried about users recording their passwords, which isn't a bad thing if done safely, then provide them 
with one of the many encrypted password storage utilities out there.

Another useful strategy is to teach users to select stronger passwords and don't force them to change the password so 
often. That way they will be more willing to put the effort into memorizing a very strong password.

If anyone is interested in participating in any password research, I am currently working on a book called Password 
Roullette through Syngress publishing due later this year that will teach users how to create strong passwords. I would 
love to have some real-world organizations participate.


Mark Burnett