« GPO Hunts Fugitives | Main | Open WorldCat »

Password Memorability and Securability

(Via SlashDot) Some Cambridge University researchers performed a study of how students selected passwords and have made some tentative recommendations.

Users should be instructed to choose mnemonic based passwords as these are just as memorable as naively selected passwords while being just as hard to guess as randomly chosen ones. [An example of a mnemonic password would be "My sister Peg is 24 years old" = "MsPi24yo"]

Size matters. With systems like Unix which limit effective password lengths to eight characters, users should be told to choose passwords of exactly eight characters. With systems such as Netware which allows 14 characters but are not case-sensitive, one might encourage users to choose passwords of ten or more characters length; perhaps this will further encourage the use of mnemonics.

Entropy per character also matters. Users should be told to choose passwords that contain numbers and special characters as well as letters. If such a lead isn't given, then most of them will choose passwords from a very small subset of the total password space.

Compliance is the most critical issue. In systems where users can only put themselves at risk, it may be prudent to leave them to their own devices. In that case, it must be expected that about 10% will choose weak passwords despite the instruction given. In systems where a user's negligence can impact other users too (e.g., in systems where an intruder who gets a single user account can rapidly become root using well known and widely available techniques), consideration should be given to enforcing password quality by system mechanisms.

If there is a benefit to be had from the use of centrally assigned random passwords, it appears to come from the fact of central assignment (which enforces compliance) rather than randomness (which can be achieved just with mnemonic phrases). An interesting and important challenge is to and compliance enforcement mechanisms which work well with mnemonic password choice. We expect that password checkers, which verify that a password isn't part of a known weak subset of the password space, may be an effective tool.

Posted by Tom on May 26, 2004