Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice? (pafwert program)
From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Wed, 17 Mar 2010 23:43:53 +0000
Agreed, the default config is less then perfect as are the dictionaries it comes with. The cool thing it you can customize it. Have a hospital? Add those long medical words they know to spell. :). Do the same for the different specialties. Add the custom rules to put the words together the way you want. You could even add a rule to demonstrate what not to do. -Eric ------Original Message------ From: Brian Basgen Sender: The EDUCAUSE Security Constituent Group Listserv To: SECURITY () LISTSERV EDUCAUSE EDU ReplyTo: The EDUCAUSE Security Constituent Group Listserv Subject: Re: [SECURITY] Are users right in rejecting security advice? (pafwert program) Sent: Mar 17, 2010 4:27 PM Hi Eric, On Mar 17, 2010, at 1:41 PM, Eric Case wrote:
<rant> I do not mean to offend anyone, but is that mindset the reason that users reject security advice? "The new password policy is more restrictive" vs. "the new password policy is simple; longer is better" (or whatever). When are we going to stop saying password and start saying passphrase? Long and 'simple' bets short and 'complex' everyday. Has everyone seen Pafwert http://xato.net/bl/2007/01/30/pafwert-smarter-passwords? </rant> -Eric
I think the premise behind Pafwert is very incorrect. Most of the examples he provides of "strong" passwords are dictionary words with periods. This results in extremely low randomness (e.g. on the order of regular english text). Honestly, it seems like he may have created this program tongue in cheek? His "strong" passwords include examples like "Dr. Abcd" (http://xato.net/img/PafwertScreen1.jpg). This is actually a pretty good example of how people will create passwords with incredibly low entropy while thinking they have a clever and strong password. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873 Sent via BlackBerry by AT&T
Current thread:
- Re: Are users right in rejecting security advice? (pafwert program) Basgen, Brian (Mar 17)
- <Possible follow-ups>
- Re: Are users right in rejecting security advice? (pafwert program) Eric Case (Mar 17)