Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Linking Password Length to Write-down probability

from [Bob Kurth] Network Security [Permanent Link]
Subject: RE: Linking Password Length to Write-down probability
Date: Fri, 27 May 2005 08:33:05 -0500 
Stian:

I have also been looking into this particular subject for differing reasons.  I 
want to increase length and complexity requirements at my place of business, 
but management seems to think their employees are not smart enough to meet the 
task.  From what I have been seeing in my googling, the consensus appears to be 
to move to the pass-phrase rather than a more complex password.  Of course, a 
really good pass-phrase would meet all those complexity requirements (alphas, 
numerics, and special characters).  Most of the Operating and Networking 
systems out there support moving to a string up to 128 characters long.  The 
link below is another good source reference for this, but doesn't really answer 
your query of whether or not there have been studies comparing the length and 
complexity requirements to the probability of the end user writing their 
password down.

http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf



Robert Kurth, CISSP
-----Original Message-----
From: Stian Øvrevåge [mailto:sovrevage@gmail.com] 
Sent: Thursday, May 26, 2005 4:07 AM
To: security-basics@securityfocus.com
Subject: Linking Password Length to Write-down probability

God morning list!

I continually read papers which advertise increased password lenghts (
and outrageous complexity requirements ) as The Solution(TM). I work
in a fairly large organization and I can safely acknowledge that even
8 character passwords with moderate complexity requirements are VERY
prone to beeing written un-encrypted and un-hashed on Post-Its, and
then safely contained, under the keyboard, or on the monitor. Which in
my humble oppinion is bordering to "stupid security".

I'm certain that there is a link between required password lenght and
complexity and the probability of users taking the huge leap backwards
and writing passwords down.

I've been doing a little Googling, but I can't seem to find any
scientific analytical/statistical research done on this particular
subject. Is anyone out there aware of any works done in this field? If
not, is there anyone intrested in conducting such a survey on the
behalf of the community?

Regards, Stian
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: help , scripting for security, Smith, Ryan
Next by Date:  RE: Symantec LiveUpdate and User Rights on Win2000, adisegna
Previous by Thread:  Re: Linking Password Length to Write-down probability, Dan Tesch
Next by Thread:  Re: Linking Password Length to Write-down probability, John Blackley
Indexes:  [Date] [Thread] [Top] [All Lists]