Re: Are users right in rejecting security advice? (pafwert program)

[Eric Case <ecase () EMAIL ARIZONA EDU>]

Agreed, the default config is less then perfect as are the dictionaries it comes with.  The cool thing it you can 
customize it. Have a hospital?  Add those long medical words they know to spell. :). Do the same for the different 
specialties. Add the custom rules to put the words together the way you want. You could even add a rule to demonstrate 
what not to do. 
-Eric


------Original Message------
From: Brian Basgen
Sender: The EDUCAUSE Security Constituent Group Listserv
To: SECURITY () LISTSERV EDUCAUSE EDU
ReplyTo: The EDUCAUSE Security Constituent Group Listserv
Subject: Re: [SECURITY] Are users right in rejecting security advice? (pafwert program)
Sent: Mar 17, 2010 4:27 PM

Hi Eric,

On Mar 17, 2010, at 1:41 PM, Eric Case wrote:
> <rant>
> I do not mean to offend anyone, but is that mindset the reason that users
> reject security advice?  "The new password policy is more restrictive" vs.
> "the new password policy is simple; longer is better" (or whatever).  When
> are we going to stop saying password and start saying passphrase?  Long and
> 'simple' bets short and 'complex' everyday.  Has everyone seen Pafwert
> http://xato.net/bl/2007/01/30/pafwert-smarter-passwords?
> </rant>
> -Eric

 I think the premise behind Pafwert is very incorrect. Most of the examples he provides of "strong" passwords are 
dictionary words with periods. This results in extremely low randomness (e.g. on the order of regular english text). 

 Honestly, it seems like he may have created this program tongue in cheek? His "strong" passwords include examples like 
"Dr. Abcd" (http://xato.net/img/PafwertScreen1.jpg). This is actually a pretty good example of how people will create 
passwords with incredibly low entropy while thinking they have a clever and strong password.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873



Sent via BlackBerry by AT&T