Adam Shostack (adam@homeport.org)
Tue, 5 Jan 1999 09:42:50 -0500
On Mon, Jan 04, 1999 at 11:19:36AM -0800, Evan Brewer wrote:
| On Mon, Jan 04, 1999 at 11:28:33AM -0500, Adam Shostack wrote:
| > There is a substantial body of research over the last 20 (or
| > more) years, showing consistently that most people will, given the
| > chance, select their password from a very small, and easily searched
| > space. There is no reason to believe that changing the word
| > 'password' to 'passphrase' will suddenly shift people's behavior.
|
| I find this last statement to be incorrect. Most intelligent people
| would believe a password to be a single word, whereas a pass`phrase`
| would be more of a sentance, or multiple words strung together. I
| could be dead wrong, but that is how I see it.
I'll urge you to do live research on the subject. Setting up
an experiment should not be difficult, and if you can show a change,
you'll have a very interesting paper to publish.
Getting people to select solid passwords or keys has been
incredibly difficult over time. People strongly resist both training,
and enforcement systems, finding ways to select the simplest possible
passwords. If changing a prompt from password to passphrase changes
people's behavior substantially, that will be a very important result.
Adam
-- "It is seldom that liberty of any kind is lost all at once." -Hume
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:01