Educause Security Discussion mailing list archives
Re: password vs pass-phrase (was: Are users right in rejecting security advice?)
From: Charles Buchholtz <chip+educause () SEAS UPENN EDU>
Date: Thu, 18 Mar 2010 13:54:00 -0400
On Thu, Mar 18, 2010 at 09:57:11AM -0700, Eric Case wrote:
I call them pass-acronyms:
I picked this one from your list:
Tmb50w2lyl There must be fifty ways, To leave your lover - Paul Simon, 50 Ways To Leave Your Lover
Google came back with two hits - the second hit was in "honestforum.com", in response to the question, "so, what's the password for your HF account?", dated 03-07-2008. I think it's safe to assume that the black-hats are trying it. The pass-acronym method is decades old. 20 years ago I recommended it to our users as a good way to come up with "unguessable" passwords. Fifteen years ago I stopped recommending it, because it had become "too common". Like anything, it works if you pick something unusual, but song titles, catch phrases, etc are not safe. --- Chip Charles H. Buchholtz Director of Systems Programming chip () seas upenn edu School of Engineering and Applied Science http://www.seas.upenn.edu/~chip University of Pennsylvania
Current thread:
- password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 17)
- <Possible follow-ups>
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Basgen, Brian (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Allison Dolan (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Zach Jansen (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Valdis Kletnieks (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Roger Safian (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 18)