Xref: utzoo sci.crypt:1419 comp.unix.wizards:13673 news.sysadmin:1995 Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!ucsdhub!sdcsvax!ucsd!ucbvax!husc6!bu-cs!bucasb!merrill From: merrill@bucasb (John Merrill) Newsgroups: sci.crypt,comp.unix.wizards,news.sysadmin Subject: Re: password security Message-ID: <598904545.9625@bucasb.bu.edu> Date: 23 Dec 88 18:22:25 GMT References: <11013@ulysses.homer.nj.att.com> <2308@cuuxb.ATT.COM> <4420@xenna.Encore.COM> <259@gloom.UUCP> <4444@xenna.Encore.COM> <1115@actnyc.UUCP> <4469@xenna.Encore.COM> Reply-To: merrill@bucasb (John Merrill) Followup-To: sci.crypt Organization: Boston University Center for Adaptive Systems Lines: 39 In-reply-to: bzs@Encore.COM (Barry Shein) In article <4469@xenna.Encore.COM>, bzs@Encore (Barry Shein) writes: > >From: prh@actnyc.UUCP (Paul R. Haas) >>In article <4444@xenna.Encore.COM> bzs@Encore.COM (Barry Shein) writes: >>>The average secretary I know is bright enough to understand rules like >>>"use two short words with some upper-case letters and/or digits thrown >>>in and separated by a punctuation, like "Hey!Jude" "FidoIS#1". Very >>>hard to guess, very easy to remember, next... > >>Give a thousand secretaries that same set of instructions and you will >>get far less than a thousand different passwords. Sort them in order >>of frequency and try them all on whatever system you are trying to >>crack. You certainly won't be able to break all the accounts, but you >>will get a few. > >Is this based on *anything*? Or just a wild guess, sounds utterly >baseless to me. You honestly think if I told 1000 people to: > > choose two short words separated by a punctuation character > and mix some upper-lower case into the words > >I would frequently get the exact same result from different people? Yes, Barry, you would. Why do I know this? Consider the following modification of your paradigm: choose an English word of at most eight characters, mixing both upper and lower case in the word. You must be able to recall this word easily---without writing the word down. Guess what! There's a short list that covers the vast majority of these words. This list is dominated by the hundred most common names (in the local language), followed by a collection of folk names. (For your test, I'd expect to see things like Frodo!Ba[ggins], at least if the target audience was of CS nerds.) Is the idea a bad one? No, not at all, if only because it might take a while to extract the statistics of the process. But in the long run, the two paradigms are probably equal.