Educause Security Discussion mailing list archives

Re: Are users right in rejecting security advice? (pafwert program)

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Wed, 17 Mar 2010 16:27:41 -0700

Hi Eric,

On Mar 17, 2010, at 1:41 PM, Eric Case wrote:

<rant>
I do not mean to offend anyone, but is that mindset the reason that users
reject security advice?  "The new password policy is more restrictive" vs.
"the new password policy is simple; longer is better" (or whatever).  When
are we going to stop saying password and start saying passphrase?  Long and
'simple' bets short and 'complex' everyday.  Has everyone seen Pafwert
http://xato.net/bl/2007/01/30/pafwert-smarter-passwords?
</rant>
-Eric


 I think the premise behind Pafwert is very incorrect. Most of the examples he provides of "strong" passwords are 
dictionary words with periods. This results in extremely low randomness (e.g. on the order of regular english text). 

 Honestly, it seems like he may have created this program tongue in cheek? His "strong" passwords include examples like 
"Dr. Abcd" (http://xato.net/img/PafwertScreen1.jpg). This is actually a pretty good example of how people will create 
passwords with incredibly low entropy while thinking they have a clever and strong password.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
Office: 520-206-4873

Current thread:

Re: Are users right in rejecting security advice? (pafwert program) Basgen, Brian (Mar 17)
- <Possible follow-ups>
- Re: Are users right in rejecting security advice? (pafwert program) Eric Case (Mar 17)