It seems obvious that the longer/more complex the
password, the more likely the user is to write it down,
so I'm not sure that such a study would really yield any
new insight. What I've taken to doing is stressing the idea
of a passphrase instead of a password, then using the
initial letters of each word, and mixing caps.other characters
as needed for complexity, so:
"My dog used to have fleas but he ate them" becomes "Mdu2Hfbh8T"
10 characters, rather than 8, upper-lower-numeric, but still a
password the user can be reasonably expected to remember.
dcj2
Stian
Øvrevåge <sovrevage@gmail.com> on 05/26/2005 05:06:42 AM
Please respond to Stian Øvrevåge <sovrevage@gmail.com>
To: security-basics@securityfocus.com
cc: (bcc: Doug Janelle/Inc/Jouan)
Subject: Linking Password Length to Write-down probability
God morning list!
I continually read papers which advertise increased password lenghts (
and outrageous complexity requirements ) as The Solution(TM). I work
in a fairly large organization and I can safely acknowledge that even
8 character passwords with moderate complexity requirements are VERY
prone to beeing written un-encrypted and un-hashed on Post-Its, and
then safely contained, under the keyboard, or on the monitor. Which in
my humble oppinion is bordering to "stupid security".
I'm certain that there is a link between required password lenght and
complexity and the probability of users taking the huge leap backwards
and writing passwords down.
I've been doing a little Googling, but I can't seem to find any
scientific analytical/statistical research done on this particular
subject. Is anyone out there aware of any works done in this field? If
not, is there anyone intrested in conducting such a survey on the
behalf of the community?
Regards, Stian
