RE: Linking Password Length to Write-down probability

["Miguel Dilaj" <mdilaj () nccglobal com>]

Hi Stian,

It's all down to user education, that's probably the most difficult portion
of IT Security ;-)
If jrRG££mc$! means SOMETHING for the user, he/she will remember it,
otherwise they'll use the "Post-It Solution".
Teach your users HOW to select a good password, not WHAT it has to be.
If you say "it has to be 8 characters, MiXeD case, with numb3r5 and
punctuat!on marks, they'll screw it.
If you teach (very old but still good example) to take a phrase they'll
easily remember, for example:
   "Quite frankly darling, what you are saying is of the least importance to
me!"
And take the first character of each word, this will produce:
   "Qfd,wyasiotli2m!"
(Note I replace "to" with "2).
Is that good enough?
Of course they can choose their own phrase from whatever source, take the
3rd character instead of the 1st, etc etc etc...

On the technical side, remember that bad encryption defeats a good password.
What you presented is the opposite, bad passwords defeat good encryption.
You have to consider both sides.
Cheers,

Miguel


-----Original Message-----
From: Stian Øvrevåge [mailto:sovrevage () gmail com] 
Sent: 26 May 2005 10:07
To: security-basics () securityfocus com
Subject: Linking Password Length to Write-down probability


God morning list!

I continually read papers which advertise increased password lenghts ( and
outrageous complexity requirements ) as The Solution(TM). I work in a fairly
large organization and I can safely acknowledge that even 8 character
passwords with moderate complexity requirements are VERY prone to beeing
written un-encrypted and un-hashed on Post-Its, and then safely contained,
under the keyboard, or on the monitor. Which in my humble oppinion is
bordering to "stupid security".

I'm certain that there is a link between required password lenght and
complexity and the probability of users taking the huge leap backwards and
writing passwords down.

I've been doing a little Googling, but I can't seem to find any scientific
analytical/statistical research done on this particular subject. Is anyone
out there aware of any works done in this field? If not, is there anyone
intrested in conducting such a survey on the behalf of the community?

Regards, Stian


***********************************************************************************************************
DISCLAIMER:                                                                                                
This e-mail contains proprietary information, some or all of which may be legally privileged.              
It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, 
please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
disclose, distribute, copy, print or rely on this e-mail.                                                  
***********************************************************************************************************