Educause Security Discussion mailing list archives
password vs pass-phrase (was: Are users right in rejecting security advice?)
From: Charles Buchholtz <chip+educause () SEAS UPENN EDU>
Date: Wed, 17 Mar 2010 19:36:26 -0400
On Wed, Mar 17, 2010 at 05:35:38PM -0400, Justin Azoff wrote:
Do any sites out there actually have a 'password' policy that is simply 'minimum length: 16' ?
Close: we accept any passphrase 16 characters or more as long as it is not all one type of character (lower, upper, number, punctuation). Spaces are ignored when checking "type of character". Passwords of 9-15 characters must in addition pass a dictionary test. On the password change page we provide a list of randomly generated 9 character passwords that are acceptable, if people just want to pick one of those. A new list is generated with each page reload.
Is there any research out there that shows that a 'complex' 8 character password is more secure or easier to remember than a 16 character passphrase?
We find that some people strongly prefer shorter passwords that pass the dictionary test, and other people strongly prefer longer pass-phrases made up of words. Security is another story - for instance, I'm pretty sure that "Alice in Wonderland" is less secure than "TriSsmitp". I considered doing a rough strength calculation: a three letter word counts as 2190 (the number of three letter words in our dictionary[1]), a four letter word counts as 7738, a letter not in a word counts as 26, a numeral counts as 10, etc, and you multiply them all up and that gives you a strength score. "Alice in Wonderland" gets 10^9 and "TriSsmitp" gets 10^12. "My lawn is always green" gets 10^17. Of course, that doesn't recognize that "Alice in Wonderland" is a well-known phrase. What I need is a phrase dictionary. In multiple languages, including slang. Points should be given for switching languages: "My lawn is always green" should score less than "My lawn is sempre verde" I also thought of testing pass phrases by Googling the string and seeing how many hits it got. Too many hits means the phrase is "too common". But we figured out that we'd be exposing our pass phrases on insecure networks, and they would show up in Google's search suggestions, etc. BTW, 'Alice in Wonderland' = 32,300,000 matches, 'My lawn is always green' = 2,040, "My lawn is sempre verde" = 0. "TriSsmitp" = 3. --- Chip Charles H. Buchholtz Director of Systems Programming chip () seas upenn edu School of Engineering and Applied Science http://www.seas.upenn.edu/~chip University of Pennsylvania [1] /usr/dict words - if I were to implement this I'd use a real crack dictionary.
Current thread:
- password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 17)
- <Possible follow-ups>
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Basgen, Brian (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 17)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Steven Alexander (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Allison Dolan (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Zach Jansen (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Valdis Kletnieks (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Roger Safian (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Eric Case (Mar 18)
- Re: password vs pass-phrase (was: Are users right in rejecting security advice?) Charles Buchholtz (Mar 18)