Security Basics mailing list archives
RE: Linking Password Length to Write-down probability
From: "Bob Kurth" <Bob.Kurth () fcserv com>
Date: Fri, 27 May 2005 08:33:05 -0500
Stian: I have also been looking into this particular subject for differing reasons. I want to increase length and complexity requirements at my place of business, but management seems to think their employees are not smart enough to meet the task. From what I have been seeing in my googling, the consensus appears to be to move to the pass-phrase rather than a more complex password. Of course, a really good pass-phrase would meet all those complexity requirements (alphas, numerics, and special characters). Most of the Operating and Networking systems out there support moving to a string up to 128 characters long. The link below is another good source reference for this, but doesn't really answer your query of whether or not there have been studies comparing the length and complexity requirements to the probability of the end user writing their password down. http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf Robert Kurth, CISSP -----Original Message----- From: Stian Øvrevåge [mailto:sovrevage () gmail com] Sent: Thursday, May 26, 2005 4:07 AM To: security-basics () securityfocus com Subject: Linking Password Length to Write-down probability God morning list! I continually read papers which advertise increased password lenghts ( and outrageous complexity requirements ) as The Solution(TM). I work in a fairly large organization and I can safely acknowledge that even 8 character passwords with moderate complexity requirements are VERY prone to beeing written un-encrypted and un-hashed on Post-Its, and then safely contained, under the keyboard, or on the monitor. Which in my humble oppinion is bordering to "stupid security". I'm certain that there is a link between required password lenght and complexity and the probability of users taking the huge leap backwards and writing passwords down. I've been doing a little Googling, but I can't seem to find any scientific analytical/statistical research done on this particular subject. Is anyone out there aware of any works done in this field? If not, is there anyone intrested in conducting such a survey on the behalf of the community? Regards, Stian
Current thread:
- Linking Password Length to Write-down probability Stian Øvrevåge (May 26)
- RE: Linking Password Length to Write-down probability Ryan Platt (May 27)
- Re: Linking Password Length to Write-down probability Gonzalo Martinez (May 27)
- Re: Linking Password Length to Write-down probability Nick Owen (May 30)
- RE: Linking Password Length to Write-down probability Andrew Aris (May 31)
- Re: Linking Password Length to Write-down probability Nick Owen (May 30)
- RE: Linking Password Length to Write-down probability Miguel Dilaj (May 27)
- Re: Linking Password Length to Write-down probability Nick Owen (May 30)
- Re: Linking Password Length to Write-down probability Mihai Amarandei (May 30)
- <Possible follow-ups>
- Re: Linking Password Length to Write-down probability Doug . Janelle (May 27)
- Re: Linking Password Length to Write-down probability Dan Tesch (May 30)
- RE: Linking Password Length to Write-down probability Bob Kurth (May 27)
- Re: Linking Password Length to Write-down probability John Blackley (May 27)
- RE: Linking Password Length to Write-down probability KWajda (May 30)
- Re: Linking Password Length to Write-down probability Doug . Janelle (May 30)
- Re: Linking Password Length to Write-down probability Mark Burnett (May 30)