Educause Security Discussion mailing list archives
Re: Password entropy
From: Dave Koontz <dkoontz () MBC EDU>
Date: Wed, 19 Jul 2006 18:42:50 -0400
This is a very legitimate point concerning the 'speed' of entry, not so much for the average user, but inside of an IT shop where a system admin may be required to login to help resolve an issue with a server or service with other staff. Given I am a "touch" typist, I make everyone look away and type my credentials while verifying no one is looking at me as I type. Last year we had a system admin that literally typed so slow that you could not only easily watch and pick up their entry, but could also GUESS what was next. You can only look away so long... <g> As with most things, this really boils down to risk mitigation. Your network / system admin staff should have much stricter policies on their passwords. However, try to tell a student who is only checking their college email once a week they need some sort of hyper secure and very lengthy "pass phrase" they must change every 90 days. My only point here is that password security need only to address the risk associated by it's compromise. -----Original Message----- From: Valdis Kletnieks [mailto:Valdis.Kletnieks () VT EDU] Sent: Wednesday, July 19, 2006 5:56 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password entropy On Wed, 19 Jul 2006 14:51:25 CDT, Roger Safian said:
BTW - I should also say that I am pretty sure that most users will find it easier to type words rather than a mixture of characters, although I have no real proof to back that up.
An important consideration here is that a string of words is easier to type, which means that the typing speed goes up. It's much harder to shoulder-surf a 10 word passphrase from somebody typing at 40wpm than it is to shoulder-surf 10 random letters from the same somebody who has dropped to near hunt-n-peck speeds because the letters don't form a "natural" sequence. I know *I* can type the first 10 words of Styx's "This Old Man" from the Crystal Ball album a lot faster than I can do the whole "This starts with T, Old starts with O, then M, H, T, M, M, T, T, U...."
Current thread:
- Re: Password entropy, (continued)
- Re: Password entropy Buz Dale (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy David Gillett (Jul 19)
- Re: Password entropy Roger Safian (Jul 19)
- Re: Password entropy scott hollatz (Jul 19)
- Re: Password entropy Valdis Kletnieks (Jul 19)
- Re: Password entropy Dave Koontz (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Basgen, Brian (Jul 19)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Roger Safian (Jul 20)
- Re: Password entropy Graham Toal (Jul 20)
- Re: Password entropy Valdis Kletnieks (Jul 20)
- Re: Password entropy Basgen, Brian (Jul 20)
(Thread continues...)