Are Often-Changed Long Passwords Really Secure? 233
Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?"
"I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?
Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"
Um my password is.. (Score:2, Funny)
Re:Um my password is.. (Score:2)
Re:Um my password is.. (Score:2)
Increased Usage of Sticky Notes (Score:4, Insightful)
2 cents,
Queen B
passwords.... (Score:5, Insightful)
Re:passwords.... (Score:5, Interesting)
So the compartments, from most to least secure:
-root on a machine (different for every account)
-user accounts (for the Windows and *NIX machines I log onto)
-email systems
-financial sites
-shopping sites (i.e. that store credit cards)
-forums, etc... (sites for which I assume the jow schmoe admin can see my password in cleartext)
I generally rotate in a new password every year or two. So even if you r00t me, you still can't get into my bank account...for that you need to r00t my bank
Re:passwords.... (Score:4, Funny)
Re:passwords.... (Score:3, Interesting)
Common sense, I would have thought.
This is the reason (Score:5, Interesting)
Re:This is the reason (Score:2)
Re:This is the reason (Score:3, Informative)
Re:This is the reason (Score:5, Informative)
it's trivial to defeat - see here [ep.liu.se]
Re:This is the reason (Score:2, Informative)
Read the packaging, there's a disclaimer: Do not use to protect anything you really care about.
Also, you should always remember that any use of biometrics without additional factors is for convenience-- never about security.
Well, that's nice and all... (Score:3, Funny)
Do you get the thumb back, at least?
Re:This is the reason (Score:3, Funny)
NEW! Now it comes with extra sneak-peak functions to record female employees, erm, significantly identify-able parts!
It's a joke, laugh.
Re:This is the reason (Score:2, Funny)
Only useful in the US
Re:This is the reason (Score:5, Insightful)
This whole password thing has got to the point where it's ridiculous. It was Ok when you were on a mini computer with a few hundred users, but it is so inadequate and there is so much at stake, it's absurd that we're still using this dark ages technology.
Two factor security with strong cryptographic keys on devices that don't have to give up their secrets to any host -- that's the way to go.
Re:This is the reason (Score:5, Funny)
Re:This is the reason (Score:5, Interesting)
Not perfect, but it's better than post-it notes, and it does implement its own version of the "something you have and something you know" philosophy.
Re:This is the reason (Score:5, Insightful)
A hacker can't remotely access my shirtpocket.
A pickpocket would have access to trouser pockets and coat pockets, but would be noticed lunging for your chest.
If someone does get access to your shirt pocket you have bigger problems than someone getting your password.
Re:This is the reason (Score:5, Interesting)
Sniff and replay were then, and in many places still are today, a prominent security threat -- and that threat grew exponentially with the evolution of local nets, and then exploded in scale and volume with the Internet.
The SecurID, or any One-time Password (OTP) used to provide "strong authentication," does indeed obviate the need for all the Draconian rules now used to buttress the static reusable password or passphrase. In '87, however, as the SecurID was first brought to market, we never thought the static password would survive, no matter how complex it became, because it had none of the inherent resistance to eavesdroppers provided by a dynamic password.
We never dreamed that -- to save, per user, the price of a keyboard -- the corporate bean counters would stay committed to static reusable passwords for another 20 years, using these increasingly painful routines to make those passwords more resistant to guessing, dictionary, and now pre-computed hash attacks. Nor did we expect that the market would consistantly undervalue one of the token's core virtues: its resistance to sniff and replay.
We thought it was obvious that a password, however strong, could never be enough.
Re:This is the reason (Score:5, Informative)
WRT to F/OSS, these are hardware devices. What you really need is a free reference design.
You could sorta fake it, but it wouldn't be the same. For example, suppose you kept GnuPG keys stored on a USB key fob. Then you encrypt the keyring with a simple password. Voila -- two factor security.
The only problem is that the key fob has to trust the computer it is connected to, because it is going to hand over the secret key to it. If they computer is compromised -- that's it.
What you really need is a device with its own computing power, such as an iButton. You then have software which sends a challenge from the server to the iButton, calculates a hash, then calculates another hash on that hash using standard password techniques. [maxim-ic.com]
The password of course would be very little addditional protection, but very little is needed. What you want is to buy a few hours of protection after you lose your device to notify the network administrators and get your account locked out.
Re:This is the reason (Score:2)
Re:This is the reason (Score:2)
Sounds a bit like a smartcard [howstuffworks.com].
Poor Man's Securid/Cryptocard (Score:2)
lot more secure, but they have their downsides: High cost, and they
become cumbersome if there are multiple instances to carry around.
I have a poor man's alternative that accomplishes a lot of their
benefits. A Securid/cryptocard that never changes! Seriously, login
with three factors:
* Who you are (username)
* something you know (a not terribly secure password)
* something you have (long written "user code")
This way knowing who
Re:Poor Man's Securid/Cryptocard (Score:2)
Desk (Score:5, Insightful)
But seriously, does a policy like this do anything but encourace people to write down their passwords?
Re:Desk (Score:2)
But seriously, does a policy like this do anything but encourace people to write down their passwords?
Yes. Plain and simple: Yes.
People simply can't/won't remember difficult passwords.
Re:Desk (Score:2)
it's 16-22 characters dependent on how I vary it and gets changed (strictly speaking varied by 1-5 characters) once every 60 days. So far no problem remembering it or typing it. I'd have trouble telling it to someone, but that's not what it's for anyway....
Re:Desk (Score:2)
MyPetsName1
MyPetsName2
MyPetsName3
MyPetsNa
I must admit that I've come to a similar method, I have several base passwords like t/E2.p?aFhBO that I alter in one or two positions when forced to change.
Re:Desk (Score:4, Insightful)
It depends where you write it down. If you write it down in some sort of password safe that's encrypted, and keep that only on your hard disk and PDA, that's a heck of a lot safer than the post-it note, and I'd go so far as to call that secure - provided you make sure to keep the encrypted copies in your posession and keyed with a "good" password (longer than 8 characters, who is the story poster kidding).
Seriously, if you're in IT, don't you already have a bunch of passwords you need to keep track of? Do you really expect to keep those in memory? Why *don't* you have some sort of password vault by now?
Re:Desk (Score:5, Informative)
According to the site it can be used on Windows, as well as an older PocketPC version.
Re:Desk (Score:2)
Re:Desk (Score:2)
Passwords are Evil (Score:2)
It does have that effect. But there's a logical reason to want passwords to be tougher and non-permanent. They're obviously reacting to recent reports of security breaches due to stolen passwords. Slashdotters will recall a recent story about identity thieves that were able to steal data for thousands of people using a single stolen password.
The problem here is not that the security people are stupid. I
Depends (Score:2)
Password Safe (Score:5, Interesting)
Of course, it's kind of a single point of failure in terms of security, if you don't take into account the need to use a boot password and Windows login. Also, if your laptop dies... and you haven't backed up the password file...
Re:Password Safe (Score:3, Informative)
For the Windows folks [sourceforge.net]
For the *nix folks [sourceforge.net]
Re:Password Safe (Score:2)
Re:Password Safe (Score:2)
My voice is my passport.... (Score:5, Funny)
And the answer is... (Score:5, Informative)
I, like everyone else on the planet, work to make things easier for me and to hell with security. A new password every 90 days means people will design a password that passes the requirements but is easy to remember when you have to change it. For example, my last job required at least an 8 character password with at least two numbers and one case change, and you could not reuse passwords for at least 5 changes. So my first password was Th1s1smE. Anyone want to guess what my next password was after the first 90 days?
Anybody with half a mind (and you KNOW who you are) would run through the likely possibilities quickly enough.
My opinion: It would be better to provide a tool that would allow a user to rate a password which would let them come up with a password that passes a minimum quality requirement, a password that they could remember without writing it down, and then require it to be changed less frequently (like once per year). And, equally important, provide a second, different authentication mechanism to support the password security (a hardware token system would be one example, biometrics would be another, a prearranged "callback" mechanism would be a third, there are many others).
Beside, my experience with gaming a requirement like this is that users tend to mess up their password frequently and end up with their password set back to a known default (assuming the admins provide such a default, which in of itself is a very bad security decision). And so sometimes a policy like this will actually provide less security, because at any given time there will be a relatively high percentage of user accounts which are set to a known password. Years ago, I personally demonstrated this situation with one of the VP's of the company I worked for by going through the ID's of the senior managers until we found one using the default password.
So, long story short, changing passwords frequently does not automatically mean better security. But we all knew that, right?
Re:And the answer is... (Score:2)
Re:And the answer is... (Score:2)
And, equally important, provide a second, different authentication mechanism to support the password security (a hardware token system would be one example, biometrics would be another, a prearranged "callback" mechanism would be a third, there are many others).
I wholehearly second this. I've been long enough in the computer business to see lots of good and bad password (or equivalent) schemes. From th standard "lower/upper case, one digit, one special char, at least 6 chars long, non-repeating, checking
Re:And the answer is... (Score:2)
How would those of us with the other half do?
Re:And the answer is... (Score:2)
Then why in the name of the god of goat cheese does every network that pretends to be secure have these silly ridiculous password rules and once you have fulfilled the rules to get a _good password_ they make you change them?
I never make my user's change their passwords. In fact, only in Wargames and at some ISPs where people have chosen easy to guess passwords like their username
Re:And the answer is... (Score:2)
Oh, this is an easy one:
Quarter105
Quarter205
Quarter305
Quarter405
Quarter106
etc.
Complexity or Quantity (Score:5, Insightful)
I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly. They suggested a pass phrase as the way forward. Perhaps something along the lines of "I love
The other solution I often tell people is make your passwords a personal acronym, who would guess "Il/mIp10t" as a password, yet it is easy for me to remember.
Re:Complexity or Quantity (Score:3, Insightful)
I my house secure? Sure I have never been burgled.
Should we shut down fort knox and store all the bullion in my spare room? Probably not
If I want to protect my information against my flatmate or a friend from opening it then an 8 character password is probably ok. If I want to protect my bank's central records or the ID's of my intelligence agents in North Korea 20 characters will not cut the mustard either.
Perhaps
Long passwords (Score:5, Interesting)
So? In the company I'm working for, we have a policy that the password has to be at least 10 characters long, alphanumeric mixed case and it will change *every 30 days*. And the new password can't be the same as 10 last ones.
I have solved the problem of memorizing these passwords by using source code as a password. For example: "printf("Hello, World!");" should be complex enough and it is relatively easy to remember.
To your question: No, I don't know if the longer, more complex passwords are actually more secure / cost efficient than shorter ones, because of the side effects caused by difficult to remember passwords. But at least this kind of policy prevents the most trivial dictionary attacks. It's a completely different story, how else the security is taken care of (ie. educating the personnel, so there will not be any post-it notes laying around and other forms of security, because it's all about layers).
Re:Long passwords (Score:3, Funny)
A Microsoft Windows error message as reported by comp.risks 21.37
Re:Long passwords (Score:2)
Re:Long passwords (Score:2)
Not happy about it either (Score:2)
There was an internal badging initiative about a year ago that was looking at moving away from mag stripes for door access. If we bought the right cards for physical access we could leverage that investment for logical.
Re:Not happy about it either (Score:3, Insightful)
Do you really want to attach value to things like your thumbs, fingers and eyes? I mean the kind of value that makes someone else want them; I like and value mine quite a bit. Also, if your fingerprint happens to get compromised(i.e. somebody manages a working fake), how do you plan on obtaining a new one?
Terrified of biometrics until somebody gives me compelling reasons not to be...
Re:Not happy about it either (Score:5, Insightful)
Less secure (Score:5, Insightful)
You also are tempted to write them down, or use consequtive patterns as passwords:
qwer789456123
0ok9ij8uh
Things like that. A simple phrase password, with a one time algorithm (give me the 4th, 5th, 7th and 10th letters) take longer to work out in your head, but eavesdroppers (video, shoulder surfing, finger prints (national treasure) and electronic) have a harder time.
Of course, if you store all your new 8 digita alpha numeric passwords in an access file which is shared in a public folder, that woud make any attempt of l33t passwords a bit redundant.
Re:Less secure (Score:2)
At the IT orientation at my current job, we were told to use consecutive passwords! The genius "security head" explained the rules (long, complex passwords, 60 day life), everyone groaned and he said "Don't worry -- you can do something like..." and described a trivially guessable series of passwords.
Changing passwords (Score:4, Funny)
Also, the root password for my laptop is 'swordfish' (oh halle... I love your baps, but when the line 'it isn't just a multi-monitor system' comes up, I really have to kill nearby carbon based lifeforms.) but noone has hacked it yet for 3 reasons:
1: It is linux, therefore unhackable, even with r00t password
2: It has no networking capability
3: It no longer actually works, and after the drop I gave it, I suspect even the parked heads might not have stopped platter axle damage...
So have some auditing and heuristic behaviour analysis. Use one time passwords, rigorously check all intrusions based on internal/external. Follow up a failed pssword attempt with a human call (SOMETIMES computers can be the weak link in security)
Re:Changing passwords (Score:2)
Good thing you don't have one of those new Powerbooks!
A few points (Score:5, Informative)
Changing passwords is ofcourse to reduce impact when a password is stolen/cracked. 90 days sounds a bit long -- is this policy based on evaluating what's *needed* or just based on vague assumptions ?
If it is expected that keyloggers, bruteforcing or some other form of password-theft is likely, 30 days might be more apropriate.
2.
According to various textbooks on computer security, forming a password from 1st (or some'th) letter in a sentence forms passwords which in general terms are as hard to brute-force as "truly" random passwords:
madly typing at keyboard: 32nfia.-!
I once saw four naked girls dancing in the moonlight: I1s4ngditm!
The latter form *may* be slightly more open to guessing the frequency of letters -- but bruteforcing a password with 12 alpha-numeric characters takes a *lot* of effort.
The main point is that passwords "generated" like that is *much* easier to remember. They may also be more "random" than just typing at the keyboard...
Some punctation and variations in capitalization should be encouraged/enforced.
3.
If you are authenticating against Active Directory -- just use pass phrases. Harder to bruteforce -- and prevents the ntlm-hash (16 chars, one case) being accepted by some braindead system.
4.
I personally think single-sign on is an important part of a good security strategy because it allows for more frequently changing of passwords -- admins would typically still need 2-3 accounts (normal user, admin role, testing role), but more managble than 10+
5.
Just because a password is written down does *not* mean it's compromised! If security really is so important that everyone needs 5 or more 8 letter "random" and uniqe passwords, I would *strongly* recommend that arangements be made for all passwords to be kept in escrow in a safe.
That way employees won't have an excuse to keep the password somewhere insecure. Everyone should be able to get their password during work-hours easily (for instance the receptionist that either knows everyone, or is instructed to _demand_ id, could have access to the safe).
The downside with any kind of escrow, is ofcourse, that one is forced to trust the few people with access to all passwords completly. This is a tradeoff -- but so are all security decisions.
6.
You mention bios boot passwords. Is that truly neccessary ? Bios configuration password sounds more reasonable to me. But either one is of rather limited use, unless you are using some form of fortified pc case.
If you do mean configuration passwords, that is a primary candidate for writing down, and locking in a safe IMHO. Normally all admins would have access to this, so that seems reasonable.
Re:A few points (Score:2)
They're of pretty limited use even then. Almost every major BIOS manufacturer includes a standard back-door password so support guys can get into a locked machine. I know most of them, and I suspect my friend Mr Google would soon tell me any others I needed. Kinda defeats the point, doesn't it?
Kerberos (Score:2, Interesting)
integrate it with pam, and then you'll get a ticket when you log in, that will be used to authenticate you when you access things like ftp or mail server.
Ofcourse this wont help with off site login, but at the point you use them you have access to the already mentioned password safes or security managers (eg mozilla's psm or kde's wallet)
as to the oringinal poi
Re:Kerberos (Score:2)
i.e. there is no "single sign on", there's repeated typing of the same account credentials over and over again to access various distribution nodes, services, accounts, machine resources, etc.
Having to type the same "single sign on" password 4-5 times in any given session to get anything d
This can make things worse (Score:5, Informative)
Security D'ohLTs (Score:4, Interesting)
"I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.
(...)
My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!"
Read it: http://asktog.com/columns/058SecurityD'ohlts.html [asktog.com]
Its just common sense longer PSWD is safer (Score:3, Interesting)
One way to handle it all is to write a script that can deterministically convert some string that you can remember into a password conforming to a parametrically sellected rule [e.g. 12 chars, mixed case and numerics, no specials] I wrote one of these generators in AWK since I have unix boxes at work and run a cygnus shell at home...it even takes account of the date [per GMT] so that I get a fresh PSWD every 3 months but can always reconstruct past passwords in a pinch with override date. I only have to remember my "open sesame" and nothing is ever written down or stored.
Translation (Score:5, Funny)
Translation: I can't be bothered changing my password and am too dumb to come up with arguments against this policy to give to my boss on my own.
We've been doing that forever (Score:2)
I like to use mathematical fo
Absolutely (Score:3, Interesting)
All I can really do is tell them the truth: If anyone gets on the network with their credentials they will be held responsible for what happens. It's hard enough just getting people to lock their screens when they go to lunch. One user got reamed out pretty badly when someone used her email account to send a scathing note to the CEO. The only reason she didn't get fired is that she was at lunch with several people who could vouch for her whereabouts at the moment the email was sent.
or you comply and store all passwords encrypted... (Score:5, Interesting)
And the master password to this file hasn't ever changed... heh
Changing passwords frequently does not help (Score:4, Insightful)
Never underestimate the power of human ingenuity. We had the same problem at one of my ex-employer - there was a policy to change passwords every month. Initially, you could not 'recycle' a used password until ten entirely new passwords were used. Later on this was increased to 24 unique passwords before you could reuse the original password. People started forgetting passwords (3 failed login attempts and you are locked out) and started to write them down on post-it notes, etc. Some folks came up with an easy to use "formula" to generate unique passwords - crack the "formula" and you can easily find out the password.
The whole exercise of frequently changing passwords for security got compromised because it became cumbersome and annoying for people to keep remembering unique passwords. The policy looks good on paper - but as long as the human element is not factored in, it will not be effective.
Re:Changing passwords frequently does not help (Score:2)
Sounds like you need a script to change your password 25 times in a row so you can always have the same password.
Make the user responsible (Score:3, Funny)
Just. Like. That.
Re:Make the user responsible (Score:2)
Re:Make the user responsible (Score:2)
I take your point that the Boss or his Son is hard to fire, whatever their levels of stupidity.
Convenience vs Security (Score:2)
At MyCorp we tend to move haltingly and staggeringly towards greater security and inconvenience. [No, we're not quite up to military standards where no security policy, no matter how stupid and ineffective, would ever be rejected on the grounds that it caused inconvenience:)]
There's a well-known tradeoff between security and convenience, but it's possible to not be on the maximum locus of that curve: i.e., it's possible to have incredibly inconvenient security policies that provide very little actual secur
"Help me!" (Score:4, Funny)
You've gotta do what everyone else does and write it down. Stick a copy in your wallet, under your keyboard, on the side of your monitor, etc. Now I'll just use my admin login to reset your password and you'll be on your way.
Alternating alphanumerics (Score:3, Funny)
So, my first password was A1A1A1A1. Guess what my next one was?
Ultimately (Score:5, Insightful)
There are plenty of bigger risks to worry about than someone bruteforcing a password. They could get passwords by other means. They could walk up to a pc that's already logged in, and either use it immediately or install a trojan for later use. They could sniff your network. File sharing and email are usually unencrypted. They could hack your dns server so that requests go through them. An employee with priveledges could steal or alter data.
Re:Ultimately (Score:2)
Funny. I thought that people started using encryption if they cared about security. I've heard that somewhere, I'm sure.
Security is irrelevant (Score:3, Insightful)
The 90-day, eight character line-noise password policy has nothing to do with security: it's required for our security certification by a security company who has a good reputation. Either we comply with whatever such a company tells us to do, or banks and merchants and credit companies will refuse to do business with us. Oh, and we have to pick the right company so that we don't have to pay another >$10,000 to get re-certified by another expensive name.
Sucks, but c'est l'entreprise.
Company handed me passwords..accidentally (Score:5, Funny)
stealth one time pad (Score:2, Interesting)
8 characters is not long (Score:2)
IMO, 8 chars, complex, changed every 90 days is the absolute minimum for password strength for any system beyond generic webmail or /. accounts.
Same thing here (Score:2)
And I work in the HMO world, but one of our customers does work for the DOD and thus we have to comply with the standard.
PDA password keepers (Score:2, Informative)
My password app includes a utility to generate random but pronounceable passwords (which I don't generally use). My coworker told me one of these a year ago. I haven't used it in 9 months, and I still remember it. Oh $%^*, the system probably expired it.
Gnu Keyring (Score:4, Insightful)
rules reduce my password security.
I use secure, easy to type, and easy remember passwords (see
http://ask.slashdot.org/comments.pl?sid=132
details on that).
I never reuse passwords except in a few rare circumstances (on
different Linux computers I personally control I reuse some
passwords).
To keep track of all those passwords I bought a (relatively
inexpensive) Palm Zire 31. On it I run Gnu Keyring
(gnukeyring.sourceforge.net). I have one significantly secure
password that I then use to encrypt all my other passwords. I backup
this Palm using an SD card. I also back up to via IR to my Linux
notebook where there is a client that can decrypt the data.
I also have a Palm-based phone (Samsung i330) that can run Gnu
Keyring--but I don't trust it. It makes mysterious 10-second data
calls that bother a paranoid such as me. Yes, I don't have any good
reason to trust the Zire 31 either, but I keep it nearly incommunicado, I
don't need to trust it so much.
I recommend Gnu Keyring.
-kb
Use a word from a book (Score:2)
Third word down (left hand, first word) on page 51.
Suppose the word is "broken". Capitalize first/last letter, and password is...
B51roke3N
All I have to remember is which book, page, how many words down. This is often easy, because you can remember what the page looks like, especially if you pick a page with pictures on it.
Now return the book back to your shelf.
secstore (Score:3, Interesting)
All I need is the password to secstore, which, in my case, is on the LAN.
secstore client - man page [swtch.com] - for non-plan9 systems is now available as part of the Plan 9 from User Space [swtch.com] project.
Rainbow Tables (Score:4, Informative)
You can either spend a few months creating your own Rainbow Tables http://www.antsight.com/zsl/rainbowcrack/ [antsight.com], or you can buy the 64GB tables for $640, http://www.antsight.com/zsl/rainbowcrack/rt_price. txt [antsight.com].
Re:Rainbow Tables (Score:3, Insightful)
The website you refer to is about Windows password hashes. :) Here on /. we all know that Windows is full of bad implementations. The paper explains that in that particular hashing algoritm, the 14 characters are converted to uppercase and treated as two separate passwords of 7 characters, reducing the problem to 2^37 possible passwords rather than 2^8
Cost & benefits (Score:2)
IMHO, more important is correct systems security policies. Slow response/lockout to eliminate dictionary attacks. Strength is _NOT_ needed if the cost of guessing wrong is high (ie not /etc/passwd with hashes). Changing passwords is perhaps m
Password changes (Score:2)
some actual research (Score:5, Informative)
That being said, here's at least one academic paper on the subject:
http://www.cs.ucl.ac.uk/staff/S.Brostof
An interesting quote:
"forced password changing causes password problems. The result was highly significant." followed by actual statics demonstrating the significance.
Here's a white paper that seems to argue that complex passwords only provide real protection if you're able to reduce the number of passwords needed (this may just be a marketing pitch for a single-signon product)
http://www.protocom.com/whitepapers/Eva
Most opinions that complex passwords and often changed passwords are more secure are probably based on the presumption that such policies increase the time required to crack a password:
http://scholar.google.com/url?sa=U&q=h
However, as far as I can tell, no one has really gone out of their way to scientifically compare the effective security provided by various types of password policies in "real world" situations like you describe.
Passwordsafe (Score:3, Interesting)
I think that the project was begun by Bruce Schneier, of "Applied Cryptography", "Secrets and Lies" and "Cryptgram" fame. But now the utility is open-source and multi-platform.
English entropy (Score:3, Interesting)
Correct English sentences have about 1.2 bits per character. That means that for 10 words of 5 characters each, you have 50 characters which are 60 entropic bits (~7.5 entropic bytes).
That is as strong as a 10-character password, or so, but much much longer.
Not sure this is the solution.
I think that whatever is easy to remember, is easy to remember because it has low entropy and is easy to attack.
The solution might be to use non-human memory? USB disk-on-keys containing crypto keys?
Grammar bots? (Score:3, Insightful)
I really wonder, when crackers are trying to hack passphrases, wherever generators with language-rulesets will arrise trying to construct valid "likely used" sentences.
Once you get that, you'll have the same problem once again... (but perhaps some nice grammar-tech out of it coded up by kiddies)
(Or ofcourse databases with silly but catchy punchlines.)
Re:You don't have to remember them all (Score:2, Funny)
Re:You don't have to remember them all (Score:2)
Yeah! We all know security through obscurity is a waste of time anyway...