Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice?
From: Justin Azoff <JAzoff () UAMAIL ALBANY EDU>
Date: Wed, 17 Mar 2010 17:35:38 -0400
On Wed, Mar 17, 2010 at 01:41:52PM -0700, Eric Case wrote:
<rant> I do not mean to offend anyone, but is that mindset the reason that users reject security advice? "The new password policy is more restrictive" vs. "the new password policy is simple; longer is better" (or whatever). When are we going to stop saying password and start saying passphrase? Long and 'simple' bets short and 'complex' everyday. Has everyone seen Pafwert http://xato.net/bl/2007/01/30/pafwert-smarter-passwords? </rant> -Eric
speaking of 'complex'... Combinatorics was never a strong subject for me, but I'm pretty sure that by having both a short minimum required length(like 8) and 'special' character requirements actually decreases the security of a password. Especially when additionial requirements like "the special character can not be the first or last character" are added. As long as a user isn't going to use a dictionary word, forcing them to use a number or a special character will decrease the number of possible passwords. Furthermore, not all special characters are used equally. I had the list of 1million+ passwords that was leaked in that myspace related incident a while back. I finally took a look at it to confirm a hunch I had, which was that when a number or special character is required most users will use 0,1,!,@. filtering out passwords that don't have any letters (which tend to be phone numbers and things like !@#$%^&*) the character frequencies are: 4311399 1 3047197 2 2912554 0 2015274 9 2002411 3 1665517 8 1647072 4 1526430 5 1508622 7 1453701 6 238435 . 189902 _ 140388 ! 117390 - 108022 * 104680 @ 46974 # 35110 / 34576 $ 29025 , 26736 \ 26324 & 23644 = 21949 + 17965 ? 17646 ) 15802 ( 15124 ' 12299 ; 11551 " 10930 < 10490 ] 9798 % 8038 ~ 7940 : 7466 [ 5612 ^ 4930 ` 3416 > 1024 { 905 } So the chance of the 'digit' being a '1' is almost 3 times it being a '6'. the chance of the 'special' character being a '.' is 13 times it being a '?' Also interesting that the digit frequencies almost follow a pattern of 10 29 38 47 56 I don't think it should come as a surprise that things like '1password!' or '123456789!@#$%^&*(' end up being the most common passwords. Do any sites out there actually have a 'password' policy that is simply 'minimum length: 16' ? Is there any research out there that shows that a 'complex' 8 character password is more secure or easier to remember than a 16 character passphrase? I don't know of any reason to still be using short 'complex' passwords other than that some old systems did not support passwords longer than 8 characters. -- -- Justin Azoff -- Network Security & Performance Analyst
Current thread:
- Re: Are users right in rejecting security advice?, (continued)
- Re: Are users right in rejecting security advice? Dick Jacobson (Mar 17)
- Re: Are users right in rejecting security advice? John Nunnally (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Patrick Ouellette (Mar 17)
- Re: Are users right in rejecting security advice? Roger Safian (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Ken Connelly (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Steven Alexander (Mar 17)
- Re: Are users right in rejecting security advice? Justin Azoff (Mar 17)
- Re: Are users right in rejecting security advice? Michael Sinatra (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Eric Case (Mar 17)
- Re: Are users right in rejecting security advice? Dennis Meharchand (Mar 17)
- Re: Are users right in rejecting security advice? Jansen, Morgan R. (Mar 17)
- Re: Are users right in rejecting security advice? Katie Weaver (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
- Re: Are users right in rejecting security advice? John Ladwig (Mar 18)
- Re: Are users right in rejecting security advice? Kevin Wilcox (Mar 18)
(Thread continues...)