Robert J. Hansen wrote: >> In short: don't force a particular strategy on your users. Much >> better to explain to users the general problem, and then leave it >> up to them to pick a password. > > Historically speaking, this has shown not to work. I'll try to dig > up the HCI references if people really want, but the gist of it is > people don't want to have to learn and understand: they just want to > get their work done. The instant you make compliance voluntary and > education-based, the vast majority of users say "meh" and choose > "password" as their login credential.
Way back when (1970s, I guess) we had a computer where I worked that was networked to another one many miles away that acted as a server. We used punched cards in those days. Passwords were up to 6 6-bit characters. To run a job, you put a job card ahead of the stuff you wanted to run. We had a whole box of those gang-punched and you took one and used it for your job. The password was PASSWD. Some security. 8-( Later I had to use multiple machines, and some I could log into with a Teletype or similar communication device. Each had a different rule for acceptable passwords. So there was no way I could use the same password on all the machines. Now I now know that it is not a good idea to do that in any case, but we were not supposed to write down our passwords. And some required changing the password every month, so there was no way to remember them all in any case. Even if I could remember them, I could not even remember what login to use on each machine, and which password went with which login so I did write them down and to hell with the management rules. > > The belief that security problems can be solved by educating users is > a common one: it is also a deluded one. It handwaves the very > serious problem of most users not wanting to be educated and being > actively hostile to it. "Why do I have to learn all this > propellerheaded geek stuff? I just want to get my work done!" > I do not think it is entirely not wanting to be educated. But if the education takes several hours a week to keep up with and to administer my own responsibilities in the process( generating new passwords, and different ones on a frequent basis, finding some way to remember them other than writing them on a post-it note on a monitor, keeping up with password rules (Must have letters in both cases, special characters, digits, at least some length, not to exceed some other length, not a simple permutation of the last few used on this system, etc. But some require some or all of these. Some allow only letters and digits, and so on. Who can keep up?), then management would have to budget the time so I could do it, and they will not. There has to be a better way, and I do not know what it is. -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key: 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 09:10:01 up 5 days, 12:28, 3 users, load average: 5.32, 4.95, 4.88 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
