RE: Linking Password Length to Write-down probability

["Ryan Platt" <ldhsystem () earthlink net>]

Try this: http://www.baselinemag.com/article2/0,1397,1744120,00.asp

It gives a nice overview of the time/productivity lost when dealing with
passwords.




-----Original Message-----
From: Stian Øvrevåge [mailto:sovrevage () gmail com] 
Sent: Thursday, May 26, 2005 5:07 AM
To: security-basics () securityfocus com
Subject: Linking Password Length to Write-down probability

God morning list!

I continually read papers which advertise increased password lenghts (
and outrageous complexity requirements ) as The Solution(TM). I work
in a fairly large organization and I can safely acknowledge that even
8 character passwords with moderate complexity requirements are VERY
prone to beeing written un-encrypted and un-hashed on Post-Its, and
then safely contained, under the keyboard, or on the monitor. Which in
my humble oppinion is bordering to "stupid security".

I'm certain that there is a link between required password lenght and
complexity and the probability of users taking the huge leap backwards
and writing passwords down.

I've been doing a little Googling, but I can't seem to find any
scientific analytical/statistical research done on this particular
subject. Is anyone out there aware of any works done in this field? If
not, is there anyone intrested in conducting such a survey on the
behalf of the community?

Regards, Stian