Re: Linking Password Length to Write-down probability

[Doug.Janelle () Thermo com]

It seems obvious that the longer/more complex the
password, the more likely the user is to write it down,
so I'm not sure that such a study would really yield any
new insight. What I've taken to doing is stressing the idea
of a passphrase instead of a password, then using the
initial letters of each word, and mixing caps.other characters
as needed for complexity, so:

"My dog used to have fleas but he ate them" becomes "Mdu2Hfbh8T"

10 characters, rather than 8, upper-lower-numeric, but still a
password the user can be reasonably expected to remember.

dcj2





Stian


Øvrevåge <sovrevage () gmail com> on 05/26/2005 05:06:42 AM

Please respond to Stian Øvrevåge <sovrevage () gmail com>

To:   security-basics () securityfocus com
cc:    (bcc: Doug Janelle/Inc/Jouan)

Subject:  Linking Password Length to Write-down probability



God morning list!

I continually read papers which advertise increased password lenghts (
and outrageous complexity requirements ) as The Solution(TM). I work
in a fairly large organization and I can safely acknowledge that even
8 character passwords with moderate complexity requirements are VERY
prone to beeing written un-encrypted and un-hashed on Post-Its, and
then safely contained, under the keyboard, or on the monitor. Which in
my humble oppinion is bordering to "stupid security".

I'm certain that there is a link between required password lenght and
complexity and the probability of users taking the huge leap backwards
and writing passwords down.

I've been doing a little Googling, but I can't seem to find any
scientific analytical/statistical research done on this particular
subject. Is anyone out there aware of any works done in this field? If
not, is there anyone intrested in conducting such a survey on the
behalf of the community?

Regards, Stian