Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: password vs pass-phrase (was: Are users right in rejecting security advice?)

From: Charles Buchholtz <chip+educause () SEAS UPENN EDU>
Date: Thu, 18 Mar 2010 13:54:00 -0400
On Thu, Mar 18, 2010 at 09:57:11AM -0700, Eric Case wrote:

I call them pass-acronyms:


I picked this one from your list:


Tmb50w2lyl

There must be fifty ways, To leave your lover
- Paul Simon, 50 Ways To Leave Your Lover


Google came back with two hits - the second hit was in
"honestforum.com", in response to the question, "so, what's the
password for your HF account?", dated 03-07-2008.  I think it's safe
to assume that the black-hats are trying it.

The pass-acronym method is decades old.  20 years ago I recommended it
to our users as a good way to come up with "unguessable" passwords.
Fifteen years ago I stopped recommending it, because it had become
"too common".  Like anything, it works if you pick something unusual,
but song titles, catch phrases, etc are not safe.

--- Chip

Charles H. Buchholtz                    Director of Systems Programming
chip () seas upenn edu            School of Engineering and Applied Science
http://www.seas.upenn.edu/~chip           University of Pennsylvania
Previous By Date Next
Previous By Thread Next

Current thread: