Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

The Science of Password Selection 340

Posted by timothy from the insert-horror-stories-here dept.
troyhunt writes "We all know by now that most people do a pretty poor job of choosing passwords, but what's behind the selection process? What's the inspiration for choosing those short, simple passwords that so often adhere to such predictable patterns? It turns out there's a handful of classic routes that people follow to consistently arrive at the same poor choices – and some of them are pretty shocking."
This discussion has been archived. No new comments can be posted.

The Science of Password Selection More

The Science of Password Selection

Comments Filter:

  • Re:Simple vs Short. Round one: Fight! (Score:5, Informative)

    by mjwx ( 966435 ) on Tuesday July 19, 2011 @01:04AM (#36808070)
    Please consider that not every character in a password needs to contribute a high level of entropy

    Exactly, so repeating patterns are OK as far as brute force is concerned.

    The way I tell my users to create a password is to think of a four or five letter word, lets use "bill" and a number, say "4". Now the simple way to get a 10 character complex password is to use the word with the first letter capitalised, follows by the number, then the special character associated with that number followed by the word (again, capitalised), for example:

    Bill4$Bil

    All the user has to remember is Bill4, simple to remember, not based on a dictionary word (because as soon as a cracker has gone through the dictionary and common names they'll go through he dictionary and common names + $number) as long as its repeated at least once and it can be repeated as many times as you like and it's still only five characters to remember.

    Although, with password lengths I think you start to get diminishing returns after a while, the more characters you have, the more likely you'll have a typo and the more frustrating for the user it becomes and then the user will just switch to a simpler password. Remember that most users dont have a password on their home machines simply because they cant be arsed.

    Passwords should also be cycled if they are important. Length, complexity and password cycling are all useful and work together in creating robust security but they do so at the expense of user friendliness. If a security system is too unfriendly to it's users they simply wont use it, so we make trade offs to ensure that the system is used correctly.

    So realistically, length, complexity, password cycling and user friendliness need to work together in creating robust security and work well in the right mix. However getting 3 IT security to agree on what that mix is like negotiating peace in the Middle East.

    And now we have reached the end of anther long and exciting post about passwords.

Slashdot Top Deals

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (5) All right, who's the wiseguy who stuck this trigraph stuff in here?

Close