Slashdot Mirror
Password Memorability and Securability
NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example:
1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed.
2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed.
3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the
other. So this belief is debunked.
4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap-
peared to be just as easy to remember as the other. So this belief is debunked.
5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a
non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times
harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."
Freaking PDF files. Link to a version translated into HTML. By the time this goes live, maybe the FTP will be slashdotted, too. Thanks, Google.
I suppose I should make a comment. Okay, here it is: looks like users are still the weakest link in security. Whoever said that social engineering was the ultimate hack is a genius.
Google's HTML Cache Version
Hmmm.
There is also a unix utility called APG (Automated Password Generator) which will create pronounceable gibbrish passwords to your specifications. I usually use that, find one I like, then replace a few letters with l33t-speak numbers (to think, it has a use...).
I occasionally like memnonic passwords, but another good alternative is a randomly-generated but pronounceable password. It turns out that we're much better at remembering passwords that we can pronounce. (Where "Voolakun5" is pronounceable and "zqx17yvy" is not).
FIPS-181 describes a NIST-endorsed system for producing pronounceable passwords. There is a GPLed FIPS-181 implementation here.
Sample run:
$ apg
dyijenuloa
bifliecar
yishjied&
IfHydrovia
yutsOlg/
DipUkcat
APG is a lot more sophisticated than this, and allows you to do a lot of tweaking of the types of passwords it outputs, print pronunciation guides. It's a good tool, IMHO, for security-conscious types to have around.
For Fedora Core 2 users, Red Hat does not package apg in the base distribution, but it is available from freshrpms.
May we never see th
An 8 character password using unique upper case, lower case, digits and punctuation has about 94 different characters. If we picked a random 8 character password from this we would have:
94_P_8 = 94! / (94 - 8)! = 94! / 86! = 94 * 93 * 92 * 91 * 90 * 89 * 88 * 87 = 4.4x10^15 permutations
A 10 character password using only unique 26 lower case characters has:
26_P_10 = 26! / (26-10)! = 26! / 16! = 1.9x10^13 permutations.
So, the 8 character password using all characters is about 200 times more difficult to brute force than the 10 character password only using lower case characters.
Peter
Downsize DC Today!