Slashdot Mirror


Password Memorability and Securability

NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example: 1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed. 2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed. 3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the other. So this belief is debunked. 4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap- peared to be just as easy to remember as the other. So this belief is debunked. 5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."

9 of 436 comments (clear)

  1. Longest... summary... ever... by Da+Fokka · · Score: 4, Funny

    Not RTFA has never been so easy! How am I supposed to have an uninformed opinion like this?!

  2. Now keep them away from chocolate by enkafan · · Score: 5, Funny

    Yeah, passwords and standards are fine as long as you keep snickers out of the office

  3. Re:I just use my phone number..... by Dr.+GeneMachine · · Score: 5, Funny

    Hah! Now I also know how to reach you on the phone...

    --
    This comment does not exist.
  4. Use these... by mcgroarty · · Score: 5, Funny
    These are the best passwords ever:
    jieph9Ee eik4zahW que8aiQu wahK6pee nie1eCho aNg2raew
    exeif0Ta ooqu9Aye Eid7iici eiZ6boin Waeg5kah Mi9vegoh
    eelae9Oo Ua7yojie Jiquaud5 Vohw7iwi Eit7laax Aesae2ax
    They are relatively random, easy to remember (you can kind of pronounce all of them), and best of all, nobody has guessed a single one of them yet. I've been using these for years, and you should too!
  5. I sense a good social engineering technique here by Spatula+Sam · · Score: 5, Funny

    "Hello, I'm doing a study for the Cambridge University Computer Laboratory on passwords..."

  6. Mnemonics questionable by Anixamander · · Score: 5, Funny

    My menmonic, which should have been hard for people to guess, was "Please ask sister sally where's our rottweiler dog"

    And the thing is, we didn't even have a rottweiler, it was a shepherd. But people still guessed it, so I don't use mnemonics anymore.

    --
    Do not taunt Happy Fun Ball(TM)
  7. Re:The best security by the_mad_poster · · Score: 4, Funny

    So, basically, you're saying that Slashdot is impenetrable?

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  8. 6. The sixth folk belief... by cedmond · · Score: 5, Funny

    Using the term "folk belief" more than once in a paragraph can become very annoying. This belief is confirmed.

    --
    ----------------------------------
    I'd rather not take sides until I hear the monkey's version - PHB
  9. Divorces and Passwords dont mix by MajorDick · · Score: 5, Funny

    Well when going through a really rough divorce (I had an easy one too) I was in serious fear , and justifably so of my Ex hacking accounts using some of my known Passwords , I like many others have a cycle of about 10 that are used interchangably. All these were , with the exception of 1 personal passwords. I found she was accessing my work mail and personal mail almost immediatley , Soooo I decided to have some fun with it, passing all kinds of bogus information into forged emails to myself. Then came court, she was ACTUALLY Stupid enough to bring up several points in court, my Attorney was aware and asked where she found this informationout, "Around, friends, etc" Bwwwahhaaaa talk about someone looking stupid she bought it hook line and sinker.

    Sometimes easy to crack passwords are a GOOD thing :)

    On another note, after I took her to the cleaners at court I decided to TIE one One, well....NEVER....and I mean NEVER....change you passwords while really drunk..it took me 2 days to reconfigure redit and reset all my passowrds I changed on that drunken celebration. I still have NO idea what some of them were or how I came to decide on their usage