Re: Stats re: passwords

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Fri, 16 Oct 2009 16:27:41 CDT, Willis Marti said:
> During a recent password audit, it was found that one user was using the
> following password:  MickeyMinniePlutoHueyLouieDeweyDonaldGoofy

I call shenanigans.  *How* exactly was this found out?  What password cracker
would actually try that combo - and not run so slowly trying all *other*
similar length password/phrase combos that it would be useless?

> When asked why such a big password, the user said that it had to be at least
> 8 characters long.

It *does* make for a good story though. ;)

The problem is that good stories usually end up growing up to become urban
legends, and then somebody sets policy based on it, without any real thought
about things like "is it really plausible to break a 40+ character password in
realistic time?".

This is probably a good time to suggest that everybody go back and re-read Gene
Spafford's blog postings on forced expiration/changing of passwords, and the
threat models it used to defend against, and the actual threat models we face
now.  A keystroke logger doesn't care about password complexity rules....

Attachment: _bin
Description: