Password security - Another idea

Jonathan I. Kamens jik at athena.mit.edu
Wed Jan 11 01:12:38 AEST 1989


In article <9326 at smoke.BRL.MIL> gwyn at brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>) writes:
>No matter how much you tell users not to do this, so long as the
>password is one they cannot easily remember sooner or later some
>of them are going to compromise it this way.  Your personal use of
>paper in your wallet is not the worst security problem in such an
>environment.

I think we're sort of agreeing with each other :-).  We both agree
that the use of passwords that are hard to remember causes a decrease
in security.  I feel this way (and I think you will agree with my
reasoning) for the following reasons:

1. A harder to remember password is typed more slowly by the user.
   When a password is typed more slowly, it is easier to read what the
   user is typing off of his fingers as he types it.

2. A harder to remember password is written down by the user.  Forcing
   the user to write down his/her password is a problem because no
   matter where he writes it down and how securely he treats that
   piece of paper (or whatever), it is still more likely that someone
   will see it and get his password.  Furthermore, users are known not
   to be careful (as you pointed out), so it is more likely that the
   password will be written down in an insecure location (taped to the
   terminal, pull-out desk, etc.) than that it will be written in a
   secure location.

There is a third reason why hard-to-remember passwords are a problem:

3. Users will forget hard-to-remember passwords more often and/or lose
   the paper on which the password is written, so system
   administrators will have to put up with people coming to them and
   asking, "Can you change my password to something simple because I
   forgot what it is?" much more often.

So, are we arguing the same side, or what?

  Jonathan Kamens
  MIT Project Athena



More information about the Comp.unix.wizards mailing list