Re: Passwords & Passphrases

[Bob Bayn <Bob.Bayn () USU EDU>]

Even if "strong" passwords are not all that hard to
crack, we still need to protect our users from
themselves in some way.  On one system here, that
originally required a 6 digit PIN and was eventually
broadened to a 6 character passcode (which we still
refer to as a PIN), a review of the frequency distribution
of user-selected passcodes reveals that "123456" is
by far their favorite choice.  A distant second is
"654321" (I'm sure they think they are tricky) followed
by an assortment of 6 of the same digit or 3 of two digit
pairs along with names of sports and then first names.

The first entries I see that don't have an obvious
explanation are "monkey" and "cheese" and all the way
down the sorted list to passcodes used by as few as
three people, I only found 4 entries that weren't
words, names, numeric sequences, keyboard patterns, or
5 letter names followed by a digit.  Left to their own
option, most everyone will pick a password that says
"guess me quick".

The fact that it is possible for me to easily run
this analysis on that system is another security
concern (what hash algorithm?).  Our new authentication
system being prepared for deployment will address all
these issues, and will have password expiration as well
as a bad guess limit.

Bob Bayn
IT Security Team coordinator
Utah State University