[cryptography] Password non-similarity?

Kevin W. Wall kevin.w.wall at gmail.com
Sat Dec 31 22:29:07 EST 2011

On Sat, Dec 31, 2011 at 9:56 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Sat, Dec 31, 2011 at 9:05 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
>> On Tue, Dec 27, 2011 at 6:12 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>> [snip]
>>> Here's a heretical thought: require people to change their passwords --
>>> and publish the old ones.  That might even be a good idea...
>> I'm not sure if you were just being facetious here or if you were serious, but
>> you know, I think you might just be onto something here...especially
>> if we could do this and allow some degree of anonymity. Maybe if we
>> could post the passwords, run them through a password cracker for
>> T minutes to see if they could be cracked that way or allow people
>> to comment on them.
> "Google as a password cracker",
> http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/.
> No need to waste local cycles (someone else previously posted a
> similar link).

True that.

>> It would give people an opportunity to teach
>> how to create secure passwords and to critique weak ones by
>> showing why they are weak.
> I think this would be a bad idea. I imagine it would promote stemming
> related attacks. If not completely anonymous and coupled with some
> reconnaissance (IP => Company, find some users at company.com), it
> could prove to be a very dangerous practice.

Well, I wasn't referring to making the results "public", but rather treating
them as proprietary, within the confines of a company. Should have made
that clear.

Of course, I'm pretty sure that you'd never be able to get this past the
corporate lawyers even if you did treat it as proprietary information and
made it completely voluntary on the part of the users. So probably the
best we could do is to run it as a science experiment as a colaberation
between some CS and psych department at some university.
(Professor Bellovin: Hint, hint! ;-)

I think it would at least make for some interesting reading...in particular,
would users adjust their practice as they got feedback from prior

> Besides, there's plenty of password lists floating around.
> http://www.google.com/#q=password+list.

That wasn't my point. My goal would be to see the effect of
feedback provided to users to see if it would change their
behavior of how the create passwords. For example, at
every change I get, I suggest to my friends, colleagues,
and students whom I have taught that they can create
a strong password by simply thinking of some sufficiently
long,memorable phrase and using the first character of
each word and toss in some numbers and punctuation to
satisfy the password character constraints. So for example,
I might think of the leadin phrase from Lincoln's Gettysburgh
Address "Four score and seven years ago, our fathers brought forth..."
and then translate that to something like "Fs&7ya,ofbf...".
(Of course, now that I mention this, someone will put  "Fs&7ya,ofbf..."
into a cracker dictionary--if it is not already there [I've written about this
before way back in 1999]--so you would be best to
avoid that particular phrase. ;-)

Indeed, Ross Anderson did some study of this in one of his
classes (sorry, I don't have the citation, but Ross, if you're
listening, feel free to pipe in) and discovered that passwords
created this way were almost as strong as completely
random passwords by were much more memorable.

Anyhow, that's only one technique. It's the one I use,
but there are others. See my write-up from 1999 here:

It's a bit outdated, but IMO, the best thing about it is that
it provides both good and bad examples of each technique
and tells why the bad examples are bad.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the cryptography mailing list