Security Basics mailing list archives
Re: Linking Password Length to Write-down probability
From: Mark Burnett <mb () xato net>
Date: 27 May 2005 17:37:01 -0000
In-Reply-To: <20050527135957.21511.qmail () www securityfocus com> There actually has been much research on what humans can memorize, and that is the basis for things like phone numbers and zip codes. If I recall correctly, most humans can easily remember 5-7 chunks of information. Most people think that equates to a 5-7 character password but it could just as easily be a password composed of 5-7 whole words. There are also methods to make memorization easier, including patterns, using delimiters, personal connection, rhyme, tempo, meaning, offensiveness, humor, alliteration, palindromes, synonyms, antonyms, etc. If someone can memorize a line to a song, they certainly can handle a 5-7 word passphrase. For example, how many users would have to write down a password like "Grandma has 2 hairy legs." That password certainly would meet even the most demanding company policy, likely will never appear on any wordlist, but it is easy to remember. Even better: "Grandma () 2-hairy-legs com" The problem with most user passwords isn't the complexity or whether they write them down or not, its that most people simply don't know how to create strong passwords that are easy to remember. If you are worried about users recording their passwords, which isn't a bad thing if done safely, then provide them with one of the many encrypted password storage utilities out there. Another useful strategy is to teach users to select stronger passwords and don't force them to change the password so often. That way they will be more willing to put the effort into memorizing a very strong password. If anyone is interested in participating in any password research, I am currently working on a book called Password Roullette through Syngress publishing due later this year that will teach users how to create strong passwords. I would love to have some real-world organizations participate. Mark Burnett
Current thread:
- RE: Linking Password Length to Write-down probability, (continued)
- RE: Linking Password Length to Write-down probability Andrew Aris (May 31)
- RE: Linking Password Length to Write-down probability Miguel Dilaj (May 27)
- Re: Linking Password Length to Write-down probability Nick Owen (May 30)
- Re: Linking Password Length to Write-down probability Mihai Amarandei (May 30)
- Re: Linking Password Length to Write-down probability Doug . Janelle (May 27)
- Re: Linking Password Length to Write-down probability Dan Tesch (May 30)
- RE: Linking Password Length to Write-down probability Bob Kurth (May 27)
- Re: Linking Password Length to Write-down probability John Blackley (May 27)
- RE: Linking Password Length to Write-down probability KWajda (May 30)
- Re: Linking Password Length to Write-down probability Doug . Janelle (May 30)
- Re: Linking Password Length to Write-down probability Mark Burnett (May 30)