Educause Security Discussion mailing list archives

Re: Student paper "editorial" on robust passwords

From: "Lucas, Bryan" <b.lucas () TCU EDU>
Date: Thu, 23 Sep 2004 12:39:45 -0500

more robust = less secure?  How's that?
 
The attached Cambridge study on passwords and mnemonic devices disproves
a lot of the misconceptions regarding complex passwords, including they
are too hard to remember and will be written down more
frequently/longer.

From an anecdotal standpoint, I've also found that after I've keyed in a

complex password 2-3 weeks, I don't even think about it anymore, my
fingers take over.

Using a phrase such as "My 32 year old son's name is Robert" and adding
in a special character such as "m32yos#nir" makes it both complex and
easy to remember.

Bryan Lucas
Lead Server Administrator
Texas Christian University
(817) 257-6971

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Wall @
Yozons, Inc.
Sent: Thursday, September 23, 2004 11:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Student paper "editorial" on robust
passwords

The more robust the password policy, often the less secure the
system becomes. It is funny to see that the policy so onerous, but they
end with the note, " You can also help to protect your own identity by
not giving your password away to others." Therein lies the rub. And
with such hard to remember passwords, you can be sure they'll be written
down. It's also funny that they remember the previous 10 passwords, but
then don't require a user to change their password, so users will never
change their passwords. The question I'd like to know is how they store
those 10 passwords they've remembered. We'll probably find they are
simply stored in the clear in the database <wink>

David
********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

Attachment: CambridgePWStudy.pdf
Description: CambridgePWStudy.pdf

Current thread:

Student paper "editorial" on robust passwords Dan Updegrove (Sep 23)
- <Possible follow-ups>
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords Gordon D. Wishon (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ron Parker (Sep 23)
- Re: Student paper "editorial" on robust passwords Arlene Yetnikoff (Sep 23)
- Re: Student paper "editorial" on robust passwords Lucas, Bryan (Sep 23)
- Re: Student paper "editorial" on robust passwords Ryan Matteson (Sep 23)
- Re: Student paper "editorial" on robust passwords David Wall @ Yozons, Inc. (Sep 23)
- Re: Student paper "editorial" on robust passwords David L. Wasley (Sep 24)
- Re: Student paper "editorial" on robust passwords Kevin Shalla (Sep 24)