Password Memorability and Securability

NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example: 1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed. 2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed. 3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the other. So this belief is debunked. 4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap- peared to be just as easy to remember as the other. So this belief is debunked. 5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."

Re:Freaking PDF files.

[DeadInSpace]

I second the HTML version. Good old Adobe - popped up a nice little window in the background bugging me to update and stalled the IE process. Since the window went to the background, all I could see was the stalled process, and I killed IE, which, of course, closed all my windows. I hate pdf files...

It seems you hate Acrobat Reader, not PDF files.

PDF is in fact a very good format, especially if you want your final document (especially if it's intended for paper) to look the same across many different computers.

Re:Freaking PDF files.

[the_mad_poster]

I LOATHE Acrobat Reader, yes, but I also hate pdf files. I'm not even that big a fan of xpdf (not that that's an option at work anyway). I have yet to see anything being distributed via pdf that couldn't have been distributed as plain text or, if it required diagrams and such, HTML. pdf is like taking a nice, clean HTML document and turning it into a gigantic, unmanageable, honking piece of crap. Little point indeed.

PDF, flash, and java applets are the worst file formats ever inflicted on the web/Internet in the name of substandardization...