Can't Recall Passwords? Write Them Down

bludgeon... kindly re-read my post, read a bit how memory works, and read about the definition of "due diligence" before you make such asinine responses.

First off... people as a rule can only be expected to remember 7 char sequences. In order to remember sequences longer than this, a process known as chunking is used.

Observe:

1776197619452005

can be easily remembered as:

1776, year of american independence
1976, 200th birthday of the US
1945, end o WW2
2005, the current year

Each of these blocks is treated as a single value rather than as 4 separate values. this however does not extend the average persons capabilities.

Another way to remember large sequences like:

abcdefghijklmnopqrstuvwxyz
or
12345678901234567890

Is through logical value assignments, in this case c goes between b and d, n goes between m and o, or 6 goes between 5 and 7. Hence no memorization is required, these sequences can merely be calculated. the same cane be said for "pneumonoultramicroscopicsiliconvolcanokoniosis" (which you misspelled by the way, "silicovolcano" not "siliconvolcano" perhaps just a typo, another weakness of long passwords. Though the inclusion of an extra, seemingly sane letter would indicate mismemorization and not a typo, yet another weakness of long passwords. the rules you use may change for whatever reason as they are not tied to the password but the other way around) then you don't remember this as a sequence, you remember it as a collection of phonetics and spelling rules. Again, this is a calculated result, not a memorized one.

So back to the original point, 7 chars... yes people can use chunking and calculation to remember much longer passwords and nowhere did I say otherwise. I said it is unreasonable to expect this, so much so that if a user is required to have an 8 char password and they write it down, in violation of the security policy and the system is compromised via disclosure of the written password. The guilty user cannot legally be held accountable, even though they violated the security policy. Consequently such a security policy is flawed.

Passwords are accepted, and so is multi-factor authentication... as more organizations adopt multi-factor authentication we will see a correction of password requirements to a sane level.

cheers,

catch

Quote:

---

Originally posted here by phr0zenf1sh
I was asking my system admin yesterday about how she remembers all her passwords, and manages to make them difficult to guess.I only have a few to remember, so I just keep them in my head. She remembers very simple passwords such as summer or spring, but uses a system of changing certain letters into a number such as 1 for a etc. and moving other letters up the keyboard.That way she just has to remember the simple word, and her universal system.I thought it was interesting.

---

If you find it interesting, you might want to read this.

Passwords are on the way out with biometrics. I can see a very close future, within years, where your keyboard-mounted eye or fingerprint scaner (they have both of these today) would log you in, to sites such as AntiOnline. It does, however pose problems for all those fokes on DeviantArt and other websites who take photographs of their eyes :P.

Biometrics will not replace passwords, it will replace ATM cards. You'll still need something you know.

cheers,

catch

Quote:

---

Originally posted here by catch
bludgeon...

cheers,

catch

---

Those were the points I was making in my, 'asinine' way, I was agreeing with someone else (you showed two systems of memory organization and retention, so I'll take that as an 'agreed') so step off your high hat (*strikes a cymbal), ....apparently you already knew that...and I, apparently don't need to reread your post....silly, silly egoist.

Btw, biometrics will replace my ATM card, huh? So like, um...they're going to have to make retinal scans before they reissue my digits? Yeah, that sounds practical.

~edit, if you get into voice recognition implemented over the phone....eh...

heh heh heh heh, okay, I tried, I can't refrain...."Mother Mary, God and Son help me!!!?" Crap, it didn't work again...

Quote:

---

"...I personally think there is more of a chance of people quitting in a large corp. and leaving there binders laying around with passwords in it being more of a risk that a password in a wallet....but then, I'm dumb...and people like to tell me that.

---

That was bait, laid for a, heh, 'catch'...*silently thanks his pysch profs in dealing with people who show signs of minimal meglomania...no skin off my flint, and you only bothered me enough to write this second post because you think you're sooooooo logically superior...

please disregard my missuse of 'there' for 'their', my typing isn't the best....

damn, I'm like a 'miss-type-tarded person'...please change 'that' to 'than' in reading the above quote. I'll give credit to the 'masses' that catch won't and assume that most people can see the flaw and replace the appropriate word while reading.

Gay jokes bludgeon? Grow up.

Quote:

---

apparently don't need to reread your post....silly, silly egoist.

---

Clearly you do, because the point wasn't about how we can remember things beyond 7 chars, the point was the mutually exclusive obligation of remembering passwords longer than 7 chars while being forbidden from writing them down.

You can spend millions of dollars training your staff:(

Quote:

---

so training should be more intensive as far as password security is concerned

---

)but it doesn't make a bit of difference. If your policy requires long passwords and prevents writing them down, it is not binding. In other words your policy is useless, sounds like a great idea!

When dealing with HR issues, you cannot only consider what people are capable of, you must consider what is reasonable to expect from the average person. Develop policy around that, not some post-training ideal, cause it'll never hold in court.

Quote:

---

Btw, biometrics will replace my ATM card, huh?

---

Yes, eventually (a few organizations are already using them, Infonox and InnoVentry to name two) earlier this month in Japan, the Japanese Bankers Association convened to standardize biometrics for use in with ATMs.

Swapping biometrics for the ATM makes more sense than for the PIN. In two factor authentication, it is best to avoid coupling something you are with something you have as both of these can be reproduced. Two factor authentication should always include something you know, even if it is just the particular phrase that is said for voice recognition.

This is why, when biometrics eventually come around in the large scale... if they continue to use two factor authentication... they will replace the ATM card and not the PIN. (though many of the early biometric installations have foolishly switched to single factor authentication, but I suspect this is more of a way to introduce people to new technology through simplification than signs of a long term trend)

The word is "megalomania" not "meglomania" again with the typos, for someone who types as poorly as you do, I'd think you'd want to get away from passwords as fast as possible. Seriously, you must get locked out of your accounts all the time. Either from typos or for all those calculatory rules failing you. While I can replace the erroneous word with the correct one, would it be a good idea for your authentication system to also feature this capability?

cheers,

catch

PS. To clarify, I don't think I'm logically superior to you and I'd like to say that I'm not overly megalomaniacal, but such is the nature of mental illness that I wouldn't know. (and such is the nature of diagnostic criteria that neither would you) I do, however know that I am just plain better than you. ;) Deal with it.

Catch and Bludgeon,



I think you both have very valid views. I think you both have very valid information. I happen to keep some passwords in my wallet anyways (for those rarely accessed systems), but that's all I have written down. I do not have the type of system, where it can be found, any of my personal information or username on there. I consider my system to be quite secure.


Have you two crossed paths at another post before? This seems to have blown up rather quickly. I don't think either of you are going to change the other's mind about this subject, so..... I would like to ask who thinks Catch is right and who thinks Bludgeon is right? (I would ask Catch and Bludgeon to kindly not vote since we all know where they strongly stand)


I have to say both of you have very compelling arguments, but in the interest of not being hippocritical I have to agree that it is ok to write my passwords down, but I do think we'll be moving away from them in the near future.

Quote:

---

Originally posted here by MsMittens
Not by much. Especially given the way people are in public. I went for sushi today and listened to a group yapping about work. One guy was on his Blackberry and leaving it in public view. I've seen people leave their wallets open after taking out their credit cards. Any sticky notes, which often lose their "stickiness" in a hot wallet, tumble out, unbeknownst to the wallet owner. Personally, IMO, it leads to slack security views and a false sense of security.

Either do it all or not at all. Half-assed security doesn't help.

---

I agree, writting down and keeping the note in your wallet is asking for problems... what if the wallet is lost / stolen?

IMHO a better concept is to combine things to make passwords.
For instance, make a sentence and take every x letter from that sentence and add the number of letters or something similar.
eg: apples are green and trees are brown
aagatab7


About the maximum of 7 chars to be remembered, indeed this is correct. Experimental psychology learned us that we are only able to remember 7 things. And as a 'coincidence a week exists of 7 days and in many countries phone numbers are in parts respecting the idea of 7 chars max; zone number + 6 digits so we can easily remember them. If they exist out of more it becomes difficult.

I do not agree about the training of staff and difficulties that would bring, a human mind can easily be trained to remember more than 7 numbers in short memory and even in long memory. For example the waiter in a restaurant can train himself to remember instead of writing down. A system admin using complex passwords daily is probably capable of entering them just out of habit and key sequence instead of recaling from his pure memory, so he / she gets motorical aid on typing the password. Some admins probably can't tell their passwords but can type them. This is also related to the post above where people remember a simple word or sentence to construct more difficult passwords. When you add logic you can remember a lot. Next thing is that many companies use fake words for their passwords, they use passwords that sound like words but they are not, just a wise use of consonants and vowels done by a password generator. Like for instance: retipogasefym

No right or wrong to this....really. Aside from me not using a spell checker, and being inebriated, wait I mean enebriated....heh heh...he's dealing with the future....I'm discussing the now as presented in the article. I'm attacking him by my comments b/c they were 'negative', but he can call me asinine....I think it's all pretty simple, you hit it on the head with hypocritical. I don't recall any 'debates', previously, Captain.

On to the 'catcher boy''....there's only one thing I really want to type out....and that's this....I am qualified :D. Are you? Seems to me like I just made a statement about a long word in reference to your comment on memory and retention (I've read the studies) and think it should all be looked at from a different angle....self fulfilling prophecies and all that, you took that a little 'too' personally, imo, and was the first to resort to 'name calling'. Who needs to grow up? If this forum is supposed to encourage discussions, your end all, know it all approach of telling me I'm wrong for my opinion isn't encouraging....wait no, I mean my Oponion, damn...did I get it wrong again? I didn't misspell egoist did I? ah hah hah...