On Thu, Apr 21, 2011 at 1:38 PM, Robert J. Hansen <r...@sixdemonbag.org> wrote: >> In short: don't force a particular strategy on your users. Much >> better to explain to users the general problem, and then leave it up >> to them to pick a password. > > Historically speaking, this has shown not to work. I'll try to dig up the > HCI references if people really want, but the gist of it is people don't want > to have to learn and understand: they just want to get their work done. The > instant you make compliance voluntary and education-based, the vast majority > of users say "meh" and choose "password" as their login credential. > > The belief that security problems can be solved by educating users is a > common one: it is also a deluded one. It handwaves the very serious problem > of most users not wanting to be educated and being actively hostile to it. > "Why do I have to learn all this propellerheaded geek stuff? I just want to > get my work done!"
You know, I worded the above poorly, and for that I have only myself to blame for the fact that you jumped on the obvious objection to a complete free-for-all. It probably is wise to have some sort of control in place to prevent very stupid passwords. Even in 1997 my university had a system in place that prevented the use of dictionary-words (including Latin and - IIRC - Greek words) or passwords that were merely dictionary words with a number added at the end. What I meant was rather this: there are several strategies that produce good passwords. Teaching them requires (at some employers) a 30 minute course or the reading of a web page. However, forcing any *particular* strategy onto users will dramatically reduce the time it takes to guess a password, since knowing the strategy reduces the number of possibilities dramatically. I thought we were talking about this particular proposal (the "use three dictionary words" one) and my point was that if everyone were to use this its security would be dramatically reduced. However, as one of several strategies available to those selecting passwords, it probably isn't a bad one in and of itself. Nicholas _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
