In-Reply-To: <20050527135957.21511.qmail@www.securityfocus.com>
There actually has been much research on what humans can memorize, and that is
the basis for things like phone numbers and zip codes. If I recall correctly,
most humans can easily remember 5-7 chunks of information.
Most people think that equates to a 5-7 character password but it could just as
easily be a password composed of 5-7 whole words.
There are also methods to make memorization easier, including patterns, using
delimiters, personal connection, rhyme, tempo, meaning, offensiveness, humor,
alliteration, palindromes, synonyms, antonyms, etc.
If someone can memorize a line to a song, they certainly can handle a 5-7 word
passphrase.
For example, how many users would have to write down a password like "Grandma
has 2 hairy legs." That password certainly would meet even the most demanding
company policy, likely will never appear on any wordlist, but it is easy to
remember. Even better: "Grandma@2-hairy-legs.com"
The problem with most user passwords isn't the complexity or whether they write
them down or not, its that most people simply don't know how to create strong
passwords that are easy to remember.
If you are worried about users recording their passwords, which isn't a bad
thing if done safely, then provide them with one of the many encrypted password
storage utilities out there.
Another useful strategy is to teach users to select stronger passwords and
don't force them to change the password so often. That way they will be more
willing to put the effort into memorizing a very strong password.
If anyone is interested in participating in any password research, I am
currently working on a book called Password Roullette through Syngress
publishing due later this year that will teach users how to create strong
passwords. I would love to have some real-world organizations participate.
Mark Burnett
