Re: Password entropy

[Roger Safian <r-safian () NORTHWESTERN EDU>]

At 02:22 PM 7/19/2006, David Gillett put fingers to keyboard and wrote:
>  Stronger?  Probably not.  *All other things being equal*, length
> almost certainly trumps complexity.
>
>  More effective?  Sure.  It's a lot less typing, which makes it
> easier to get the human to *use* it.  And it resists most of the
> possible attacker shortcuts that the use of English words and
> grammar subjects the longer phrase to (which effectively shorten
> the long phrase).
>
>  Some fraction of what I lose on length, I make back on complexity,
> and a really strong password that people won't use doesn't do any good.

OK, lets say, I agree with what you say.  Now I know from experience
that users hate complicated passphrases.  What I wonder is can I get my
users to use a longer passphrase, that's easier for them to type, and
will I then end up with stronger passphrases?  What's a reasonable
tradeoff between security and convenience?  Personally If I could get
everyone to use a passphrase that on average would withstand attacks
for a year, I would be delighted.

BTW - I should also say that I am pretty sure that most users
will find it easier to type words rather than a mixture of
characters, although I have no real proof to back that up.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"