Educause Security Discussion mailing list archives

Re: Are users right in rejecting security advice?

From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Wed, 17 Mar 2010 22:28:03 +0000

Check out Mark Burnett's book Perfect Passwords.  It some of the same research you did and I think it has the research 
that shows a 'complex' 8 character
password is less secure and harder to remember than a passphrase.  It has been a few years since I look at the book so 
I might be wong about the last part. 

Sent via BlackBerry by AT&T

-----Original Message-----
From:         Justin Azoff <JAzoff () UAMAIL ALBANY EDU>
Date:         Wed, 17 Mar 2010 17:35:38 
Subject: Re: [SECURITY] Are users right in rejecting security advice?

On Wed, Mar 17, 2010 at 01:41:52PM -0700, Eric Case wrote:
I do not mean to offend anyone, but is that mindset the reason that users
reject security advice?  "The new password policy is more restrictive" vs.
"the new password policy is simple; longer is better" (or whatever).  When
are we going to stop saying password and start saying passphrase?  Long and
'simple' bets short and 'complex' everyday.  Has everyone seen Pafwert

speaking of 'complex'...

Combinatorics was never a strong subject for me, but I'm pretty sure that
by having both a short minimum required length(like 8) and 'special'
character requirements actually decreases the security of a password.
Especially when additionial requirements like "the special character can
not be the first or last character" are added.

As long as a user isn't going to use a dictionary word, forcing them to use a
number or a special character will decrease the number of possible passwords.
Furthermore, not all special characters are used equally.

I had the list of 1million+ passwords that was leaked in that myspace
related incident a while back. I finally took a look at it to confirm a
hunch I had, which was that when a number or special character is required
most users will use 0,1,!,@.

filtering out passwords that don't have any letters (which tend to be phone
numbers and things like !@#$%^&*) the character frequencies are:

4311399 1
3047197 2
2912554 0
2015274 9
2002411 3
1665517 8
1647072 4
1526430 5
1508622 7
1453701 6
238435 .
189902 _
140388 !
117390 -
108022 *
104680 @
46974 #
35110 /
34576 $
29025 ,
26736 \
26324 &
23644 =
21949 +
17965 ?
17646 )
15802 (
15124 '
12299 ;
11551 "
10930 <
10490 ]
9798 %
8038 ~
7940 :
7466 [
5612 ^
4930 `
3416 >
1024 {
905 }

So the chance of the 'digit' being a '1' is almost 3 times it being a '6'.
the chance of the 'special' character being a '.' is 13 times it being a '?'

Also interesting that the digit frequencies almost follow a pattern of
10 29 38 47 56

I don't think it should come as a surprise that things like '1password!' or
'123456789!@#$%^&*(' end up being the most common passwords.

Do any sites out there actually have a 'password' policy that is simply
'minimum length: 16' ?

Is there any research out there that shows that a 'complex' 8 character
password is more secure or easier to remember than a 16 character
passphrase?  I don't know of any reason to still be using short 'complex'
passwords other than that some old systems did not support passwords longer
than 8 characters.

-- Justin Azoff
-- Network Security & Performance Analyst

Current thread: