Educause Security Discussion mailing list archives
Re: Student paper "editorial" on robust passwords
From: "Lucas, Bryan" <b.lucas () TCU EDU>
Date: Thu, 23 Sep 2004 12:39:45 -0500
more robust = less secure? How's that? The attached Cambridge study on passwords and mnemonic devices disproves a lot of the misconceptions regarding complex passwords, including they are too hard to remember and will be written down more frequently/longer.
From an anecdotal standpoint, I've also found that after I've keyed in a
complex password 2-3 weeks, I don't even think about it anymore, my fingers take over. Using a phrase such as "My 32 year old son's name is Robert" and adding in a special character such as "m32yos#nir" makes it both complex and easy to remember. Bryan Lucas Lead Server Administrator Texas Christian University (817) 257-6971 -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Wall @ Yozons, Inc. Sent: Thursday, September 23, 2004 11:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Student paper "editorial" on robust passwords The more robust the password policy, often the less secure the system becomes. It is funny to see that the policy so onerous, but they end with the note, " You can also help to protect your own identity by not giving your password away to others." Therein lies the rub. And with such hard to remember passwords, you can be sure they'll be written down. It's also funny that they remember the previous 10 passwords, but then don't require a user to change their password, so users will never change their passwords. The question I'd like to know is how they store those 10 passwords they've remembered. We'll probably find they are simply stored in the clear in the database <wink> David ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Attachment:
CambridgePWStudy.pdf
Description: CambridgePWStudy.pdf
Current thread:
- Student paper "editorial" on robust passwords Dan Updegrove (Sep 23)
- <Possible follow-ups>
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords Gordon D. Wishon (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ron Parker (Sep 23)
- Re: Student paper "editorial" on robust passwords Arlene Yetnikoff (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ryan Matteson (Sep 23)
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords David L. Wasley (Sep 24)
- Re: Student paper "editorial" on robust passwords Kevin Shalla (Sep 24)