[cryptography] Password non-similarity?

Bernie Cosell bernie at fantasyfarm.com
Sat Dec 31 11:02:22 EST 2011

On 31 Dec 2011 at 15:17, John Levine wrote:

> You can't force people to invent and memorize an endless stream of
> unrelated strong passwords.

I'm not sure I agree with this phrasing.  It is easy to memorize a strong 
password -- it just has to be long enough.  The problem as I see it is 
that way too many systems use a way-too-short password and then try to 
make it 'strong' by larding it up with being-random and including 
punctuation marks and junk like that.  I teach an information security 
class and in it I argue that *LONG* is the most important criterion for 
having a password be strong _and_effective_.  Randall had it exactly 
right, IMO:


> The more often you make people change passwords, the less effort they
> are willing to put into each password, so you can be absolutely sure
> that if you demand a new password every month, they will use dog+digit
> or whatever is the easiest way to get a password that will let them
> log in and get their fripping job done.

I agree.  One thing we discussed in class [to no real resolution] is what 
vulnerability is being addressed by requiring passwords to be changed 
[much less changed and not allowing reuse].  With systems confirming your 
'last login' when you authenticate, the vulnerability of an attacker 
using your account for a long time without your knowing [and so being 
able to do something about it] doesn't seem like a big risk.  With 
systems limiting failed logins [and using other 
secondary-authentications, e.g., for logins from a new IP addr], brute 
force seems like it isn't much of a risk.  There *IS* a risk of a major 
breach at the server compromising the entire user password-DB [at which 
point it can be brute-forced at the attacker's leisure], but that's 
unlikely [IMO] to go unnoticed and so, too, doesn't seem like a big risk. 
So what problem _is_ being addressed by requiring passwords to be changed 
so often [and so inconveniently]?


Bernie Cosell                     Fantasy Farm Fibers
mailto:bernie at fantasyfarm.com     Pearisburg, VA
    -->  Too many people, too few sheep  <--       

More information about the cryptography mailing list