A better way to think about passwords
jeandavid8 at verizon.net
Thu Apr 21 15:20:51 CEST 2011
Robert J. Hansen wrote:
>> In short: don't force a particular strategy on your users. Much
>> better to explain to users the general problem, and then leave it
>> up to them to pick a password.
> Historically speaking, this has shown not to work. I'll try to dig
> up the HCI references if people really want, but the gist of it is
> people don't want to have to learn and understand: they just want to
> get their work done. The instant you make compliance voluntary and
> education-based, the vast majority of users say "meh" and choose
> "password" as their login credential.
Way back when (1970s, I guess) we had a computer where I worked that was
networked to another one many miles away that acted as a server. We used
punched cards in those days. Passwords were up to 6 6-bit characters. To
run a job, you put a job card ahead of the stuff you wanted to run. We
had a whole box of those gang-punched and you took one and used it for
your job. The password was PASSWD. Some security. 8-(
Later I had to use multiple machines, and some I could log into with a
Teletype or similar communication device. Each had a different rule for
acceptable passwords. So there was no way I could use the same password
on all the machines. Now I now know that it is not a good idea to do
that in any case, but we were not supposed to write down our passwords.
And some required changing the password every month, so there was no way
to remember them all in any case. Even if I could remember them, I could
not even remember what login to use on each machine, and which password
went with which login so I did write them down and to hell with the
> The belief that security problems can be solved by educating users is
> a common one: it is also a deluded one. It handwaves the very
> serious problem of most users not wanting to be educated and being
> actively hostile to it. "Why do I have to learn all this
> propellerheaded geek stuff? I just want to get my work done!"
I do not think it is entirely not wanting to be educated. But if the
education takes several hours a week to keep up with and to administer
my own responsibilities in the process( generating new passwords, and
different ones on a frequent basis, finding some way to remember them
other than writing them on a post-it note on a monitor, keeping up with
password rules (Must have letters in both cases, special characters,
digits, at least some length, not to exceed some other length, not a
simple permutation of the last few used on this system, etc. But some
require some or all of these. Some allow only letters and digits, and so
on. Who can keep up?), then management would have to budget the time so
I could do it, and they will not. There has to be a better way, and I do
not know what it is.
.~. Jean-David Beyer Registered Linux User 85642.
/V\ PGP-Key: 9A2FC99A Registered Machine 241939.
/( )\ Shrewsbury, New Jersey http://counter.li.org
^^-^^ 09:10:01 up 5 days, 12:28, 3 users, load average: 5.32, 4.95, 4.88
More information about the Gnupg-users