Educause Security Discussion mailing list archives
Re: Are users right in rejecting security advice? (pafwert program)
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Wed, 17 Mar 2010 16:27:41 -0700
Hi Eric, On Mar 17, 2010, at 1:41 PM, Eric Case wrote:
<rant> I do not mean to offend anyone, but is that mindset the reason that users reject security advice? "The new password policy is more restrictive" vs. "the new password policy is simple; longer is better" (or whatever). When are we going to stop saying password and start saying passphrase? Long and 'simple' bets short and 'complex' everyday. Has everyone seen Pafwert http://xato.net/bl/2007/01/30/pafwert-smarter-passwords? </rant> -Eric
I think the premise behind Pafwert is very incorrect. Most of the examples he provides of "strong" passwords are dictionary words with periods. This results in extremely low randomness (e.g. on the order of regular english text). Honestly, it seems like he may have created this program tongue in cheek? His "strong" passwords include examples like "Dr. Abcd" (http://xato.net/img/PafwertScreen1.jpg). This is actually a pretty good example of how people will create passwords with incredibly low entropy while thinking they have a clever and strong password. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College Office: 520-206-4873
Current thread:
- Re: Are users right in rejecting security advice? (pafwert program) Basgen, Brian (Mar 17)
- <Possible follow-ups>
- Re: Are users right in rejecting security advice? (pafwert program) Eric Case (Mar 17)