What it reinforces to me is the necessity of user education - being explicit with them that "Yes, passphrases are better than passwords, but make sure you don't include too many personal details, and make sure it's a real sentence with some real punctuation in it, among other things"
On Thu, Mar 15, 2012 at 07:49, Andrew S. Baker <asbz...@gmail.com> wrote: > That's an implementation problem. > > If I choose a passphrase of "Mary had a little lamb" then of course that > will be relatively weak as passphrases go. That that is not an inherent > weakness of passphrases, but of people. > > Lots of things are undermined by poor choices. Completely random 20 > character passwords with a unicode character set are undermined by having > them posted on sticky notes. > > We didn't need a whole article to point that out. > > * * > > *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of > Technology for the SMB market… > > * > > > > On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <kurt.b...@gmail.com> wrote: > >> >> http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars >> >> By Dan Goodin >> Ars Technica >> March 14, 2012 >> >> Passwords that contain multiple words aren't as resistant as some >> researchers expected to certain types of cracking attacks, mainly >> because users frequently pick phrases that occur regularly in everyday >> speech, a recently published paper concludes. >> >> Security managers have long regarded passphrases as an >> easy-to-remember way to pack dozens of characters into the string that >> must be entered to access online accounts or to unlock private >> encryption keys. The more characters, the thinking goes, the harder it >> is for attackers to guess or otherwise crack the code, since there are >> orders of magnitude more possible combinations. >> >> But a pair of computer scientists from Cambridge University has found >> that a significant percentage of passphrases used in a real-world >> scenario were easy to guess. Using a dictionary containing 20,656 >> phrases of movie titles, sports team names, and other proper nouns, >> they were able to find about 8,000 passphrases chosen by users of >> Amazon's now-defunct PayPhrase system. That's an estimated 1.13 >> percent of the available accounts. The promise of passphrases' >> increased entropy, it seems, was undone by many users' tendency to >> pick phrases that are staples of the everyday lexicon. >> >> "Our results suggest that users aren't able to choose phrases made of >> completely random words, but are influenced by the probability of a >> phrase occurring in natural language," researchers Joseph Bonneau and >> Ekaterina Shutova wrote in the paper (PDF), which is titled >> "Linguistic properties of multi-word passphrases." "Examining the >> surprisingly weak distribution of phrases in natural language, we can >> conclude that even 4-word phrases probably provide less than 30 bits >> of security which is insufficient against offline attack," the paper >> says. >> >> [...] >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin