Educause Security Discussion mailing list archives
Re: Password entropy
From: Roger Safian <r-safian () NORTHWESTERN EDU>
Date: Wed, 19 Jul 2006 14:51:25 -0500
At 02:22 PM 7/19/2006, David Gillett put fingers to keyboard and wrote:
Stronger? Probably not. *All other things being equal*, length almost certainly trumps complexity. More effective? Sure. It's a lot less typing, which makes it easier to get the human to *use* it. And it resists most of the possible attacker shortcuts that the use of English words and grammar subjects the longer phrase to (which effectively shorten the long phrase). Some fraction of what I lose on length, I make back on complexity, and a really strong password that people won't use doesn't do any good.
OK, lets say, I agree with what you say. Now I know from experience that users hate complicated passphrases. What I wonder is can I get my users to use a longer passphrase, that's easier for them to type, and will I then end up with stronger passphrases? What's a reasonable tradeoff between security and convenience? Personally If I could get everyone to use a passphrase that on average would withstand attacks for a year, I would be delighted. BTW - I should also say that I am pretty sure that most users will find it easier to type words rather than a mixture of characters, although I have no real proof to back that up. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many key servers. (847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a great childhood!"
Current thread:
- Re: Password entropy Basgen, Brian (Jul 19)
- <Possible follow-ups>
- Re: Password entropy Brent Sweeny (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Buz Dale (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Valdis Kletnieks (Jul 19)
- Re: Password entropy Dave Koontz (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
(Thread continues...)