Security Basics mailing list archives
Re: Linking Password Length to Write-down probability
From: Gonzalo Martinez <karmax () gmail com>
Date: Thu, 26 May 2005 17:46:03 -0300
Hi Stian A few days ago i read a post at slashdot: "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords." http://it.slashdot.org/article.pl?sid=05/05/24/2047228&tid=172 IMHO as a good BOFH you _MUST_ requiere that all employes use an alphanumeric password (8 or 10 chars minimun)... if they dont his emails, files, or anything else can be redirected to /dev/null ;) No, seriously, i never heard of a "scientific analytical/statistical research" about this subject. But take a look at the post on slashdot good bye -- Gonzalo Martinez On 5/26/05, Stian Øvrevåge <sovrevage () gmail com> wrote:
God morning list! I continually read papers which advertise increased password lenghts ( and outrageous complexity requirements ) as The Solution(TM). I work in a fairly large organization and I can safely acknowledge that even 8 character passwords with moderate complexity requirements are VERY prone to beeing written un-encrypted and un-hashed on Post-Its, and then safely contained, under the keyboard, or on the monitor. Which in my humble oppinion is bordering to "stupid security". I'm certain that there is a link between required password lenght and complexity and the probability of users taking the huge leap backwards and writing passwords down. I've been doing a little Googling, but I can't seem to find any scientific analytical/statistical research done on this particular subject. Is anyone out there aware of any works done in this field? If not, is there anyone intrested in conducting such a survey on the behalf of the community? Regards, Stian
Current thread:
- Linking Password Length to Write-down probability Stian Øvrevåge (May 26)
- RE: Linking Password Length to Write-down probability Ryan Platt (May 27)
- Re: Linking Password Length to Write-down probability Gonzalo Martinez (May 27)
- Re: Linking Password Length to Write-down probability Nick Owen (May 30)
- RE: Linking Password Length to Write-down probability Andrew Aris (May 31)
- Re: Linking Password Length to Write-down probability Nick Owen (May 30)
- RE: Linking Password Length to Write-down probability Miguel Dilaj (May 27)
- Re: Linking Password Length to Write-down probability Nick Owen (May 30)
- Re: Linking Password Length to Write-down probability Mihai Amarandei (May 30)
- <Possible follow-ups>
- Re: Linking Password Length to Write-down probability Doug . Janelle (May 27)
- Re: Linking Password Length to Write-down probability Dan Tesch (May 30)
- RE: Linking Password Length to Write-down probability Bob Kurth (May 27)
- Re: Linking Password Length to Write-down probability John Blackley (May 27)
- RE: Linking Password Length to Write-down probability KWajda (May 30)
(Thread continues...)