Educause Security Discussion mailing list archives

Re: Password entropy

From: Dave Koontz <dkoontz () MBC EDU>
Date: Wed, 19 Jul 2006 18:42:50 -0400

This is a very legitimate point concerning the 'speed' of entry, not so much
for the average user, but inside of an IT shop where a system admin may be
required to login to help resolve an issue with a server or service with
other staff.

Given I am a "touch" typist, I make everyone look away and type my
credentials while verifying no one is looking at me as I type. Last year we
had a system admin that literally typed so slow that you could not only
easily watch and pick up their entry, but could also GUESS what was next.
You can only look away so long... <g>

As with most things, this really boils down to risk mitigation.  Your
network / system admin staff should have much stricter policies on their
passwords.  However, try to tell a student who is only checking their
college email once a week they need some sort of hyper secure and very
lengthy "pass phrase" they must change every 90 days.

My only point here is that password security need only to address the risk
associated by it's compromise.

-----Original Message-----
From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU]
Sent: Wednesday, July 19, 2006 5:56 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password entropy

On Wed, 19 Jul 2006 14:51:25 CDT, Roger Safian said:

BTW - I should also say that I am pretty sure that most users will
find it easier to type words rather than a mixture of characters,
although I have no real proof to back that up.


An important consideration here is that a string of words is easier to type,
which means that the typing speed goes up.  It's much harder to
shoulder-surf a 10 word passphrase from somebody typing at 40wpm than it is
to shoulder-surf 10 random letters from the same somebody who has dropped to
near hunt-n-peck speeds because the letters don't form a "natural" sequence.
I know *I* can type the first 10 words of Styx's "This Old Man" from the
Crystal Ball album a lot faster than I can do the whole "This starts with T,
Old starts with O, then M, H, T, M, M, T, T, U...."

Current thread:

Re: Password entropy, (continued)
- Re: Password entropy Buz Dale (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Valdis Kletnieks (Jul 19)
- Re: Password entropy Dave Koontz (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)
- Re: Password entropy Valdis Kletnieks (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)

(Thread continues...)