Password security

Gordon Burditt gordon at sneaky.TANDY.COM
Sun Nov 27 19:07:16 AEST 1988 

In article <32582 at bbn.COM> mesard at bbn.com (Wayne Mesard) writes:
>From article <4449 at sneaky.TANDY.COM>, by gordon at sneaky.TANDY.COM (Gordon Burditt):
>> can easily remember.  So, I propose the following change to the password 
>> algorithm.
>[...]
>> - Change the length of the password to 28 characters minimum, 512 characters 
>>   maximum.
>
>Whether or not your proposal makes technical sense, you have forgotten
>an important element of this equation: human nature.  Yes, the very same
>thing that you're trying to circumvent by coercing people into using an
>absurdly combersome mechanism.  What would happen if this procedure were

You do have a point that user education and ease-of-use is an important
consideration.  I think the annoying feature of a longer password is
outweighed by the ability to use English words without restricting the
choices so much that a dictionary attack is feasable.  No, I don't expect
anyone to use 512-character passwords, especially since every possible
password in the scheme I described can map into a 28-character string
containing only the digits 0, 1, 2, and 3.

>enacted?  I'll tell you:
> o  More people would stay logged in overnight and when they go to lunch,
>    becuase it's become such a pain to login again.

Which is easier to type, "x5Ybn$1'" or "bicycle pumps fly north in June"?
For people who are used to typing words, the second can be easier even
if it's longer.  I remember one 8-character password I had that seemed to be 
pretty secure against penetration even when it was dictated over the phone, 
slowly, to another person trying to use it.  He still couldn't get it after 
6 dictations and 12 tries.  I had no trouble remembering it because it
meant something to me.

There are some people who think it's a real pain to log in again.
The ones I know seem to prefer typing something like "interviewing at the 
Kremlin" ("interviewing" is a terminal lock program with about 50 other 
links to it, including "sleeping", "hiding", and "gone") and then their 
password when they come back.  Typing "interviewing at the Kremlin" is 
obviously much easier than typing control-D and a 2-character login name.

> o  More people would write their passwords on slips of paper taped to
>    their desk because it's become such a pain to remember.

I disagree that 28-character passwords consisting of English words are
harder to remember than 8-character random garbage.  And because of the
greater number of combinations, they can be more secure.  Guessing 
4 randomly chosen words out of /usr/dict/words is about 8 times harder 
than guessing all possible 8-character passwords.

> o  More people would choose easy passwords (e.g. 28 "a"s, or the
>    alphabet plus their initials) to try to make memorization easier.

No, I think they would choose words and phrases.  Even if the 28-character
password is taken to be "9 consecutive 4-letter cusswords", or "7
consecutive 4-letter cusswords and the sysadmin's name" there are
still lots of combinations.

				Gordon L. Burditt
				...!texbell!sneaky!gordon

More information about the Comp.unix.wizards mailing list