Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!bellcore!texbell!sneaky!gordon From: gordon@sneaky.TANDY.COM (Gordon Burditt) Newsgroups: comp.unix.wizards Subject: Re: Password security Message-ID: <4655@sneaky.TANDY.COM> Date: 27 Nov 88 09:07:16 GMT References: <4449@sneaky.TANDY.COM> <32582@bbn.COM> Reply-To: gordon@sneaky.UUCP (Gordon Burditt) Distribution: na Organization: Gordon Burditt Lines: 59 In article <32582@bbn.COM> mesard@bbn.com (Wayne Mesard) writes: >From article <4449@sneaky.TANDY.COM>, by gordon@sneaky.TANDY.COM (Gordon Burditt): >> can easily remember. So, I propose the following change to the password >> algorithm. >[...] >> - Change the length of the password to 28 characters minimum, 512 characters >> maximum. > >Whether or not your proposal makes technical sense, you have forgotten >an important element of this equation: human nature. Yes, the very same >thing that you're trying to circumvent by coercing people into using an >absurdly combersome mechanism. What would happen if this procedure were You do have a point that user education and ease-of-use is an important consideration. I think the annoying feature of a longer password is outweighed by the ability to use English words without restricting the choices so much that a dictionary attack is feasable. No, I don't expect anyone to use 512-character passwords, especially since every possible password in the scheme I described can map into a 28-character string containing only the digits 0, 1, 2, and 3. >enacted? I'll tell you: > o More people would stay logged in overnight and when they go to lunch, > becuase it's become such a pain to login again. Which is easier to type, "x5Ybn$1'" or "bicycle pumps fly north in June"? For people who are used to typing words, the second can be easier even if it's longer. I remember one 8-character password I had that seemed to be pretty secure against penetration even when it was dictated over the phone, slowly, to another person trying to use it. He still couldn't get it after 6 dictations and 12 tries. I had no trouble remembering it because it meant something to me. There are some people who think it's a real pain to log in again. The ones I know seem to prefer typing something like "interviewing at the Kremlin" ("interviewing" is a terminal lock program with about 50 other links to it, including "sleeping", "hiding", and "gone") and then their password when they come back. Typing "interviewing at the Kremlin" is obviously much easier than typing control-D and a 2-character login name. > o More people would write their passwords on slips of paper taped to > their desk because it's become such a pain to remember. I disagree that 28-character passwords consisting of English words are harder to remember than 8-character random garbage. And because of the greater number of combinations, they can be more secure. Guessing 4 randomly chosen words out of /usr/dict/words is about 8 times harder than guessing all possible 8-character passwords. > o More people would choose easy passwords (e.g. 28 "a"s, or the > alphabet plus their initials) to try to make memorization easier. No, I think they would choose words and phrases. Even if the 28-character password is taken to be "9 consecutive 4-letter cusswords", or "7 consecutive 4-letter cusswords and the sysadmin's name" there are still lots of combinations. Gordon L. Burditt ...!texbell!sneaky!gordon