I saw the original Andrew posted a while back and I actually do have some
SAA type techie questions, as that "cartoon" challenged some of what I
thought I knew about passwords. Specifically: is a higher entropy a good
thing? And does such a phrase as is used there lead to that? I poked
around a bit and did not find much to indicate that, instead finding the
Usual Suspects around what a "good" password should be. Indeed, that
formula does lead one to a state of fogged forgetfulness, as handy phrases
like ))otw4%t6u are, sadly, a little tricky to remember. Sure the phrase
itself might be easy, but all those substitutions - not so much.
So, the SAA techie questions above, and, is a coupled, plain
english/letters phrase, a good idea or a bad idea?
And is there any online "entropy calculator" available?
University of Vermont
Phone: (802) 656 2013
"You are nestled in our hearts forever"
On Mon, 15 Aug 2011, Carol Caldwell-Edmonds intoned:
CC:regarding the PS Ben sent:
CC:from that paper:
CC:CONCLUSIONS AND A WAY FORWARD
CC:We have looked in detail at a snapshot of events for a
CC:sample of password users; but every minute taken in
CC:unnecessary password use needs to be multiplied by orders
CC:of magnitude to account for all the password uses even
CC:within one organisation. This is the true cost of unusable
CC:password policies. *Against the world-view that "if only
CC:[users] understood the dangers, they would behave
CC:differently" , we argue that "if only security managers
CC:understood the true costs for users and the organisation,
CC:they would set policies differently". We conclude with
CC:some suggestions for how this might be achieved.*
CC:Towards Holistic Password Policies
CC:The vision of a holistic approach for security policies is not
CC:new; Sasse et al.  outlined what such a policy should
CC:contain. In moving to a holistic approach, there is no single
CC:ideal policy, as the ongoing debate about writing passwords
CC:down [12, 17] indicate.
CC:*Focussing on frequency of password changing, or password
CC:strength, without considering the user in their context of
CC:work, is clearly not holistic.*..
CC:So, there's the research, and if we take a data-informed-decision-making
CC:process seriously, then the role of client services in IT changes from being
CC:merely the fire rescue team, into the far more professional role of
CC:intermediary/translator/data collector between the two groups in the
CC:conclusion: the system administrators, and the users.
CC:Oh, sorry, I'm awake again...it was a nice dream, anyway. Back to the fire
CC:Carol Caldwell-Edmonds, IT Professional Senior
CC:Enterprise Technology Services: Client Services
CC:Helpline and Computer Depot Clinic Coordinator
CC:University of Vermont
CC:[log in to unmask]
CC:avatar by Shannon Edmonds
CC:never take yourself TOO seriously...
CC:artwork by Shannon Edmonds
CC:On 8/15/2011 10:14 AM, Benjamin Coddington wrote:
CC:> For the record, I think Scott Adams is the /real/ prophet:
CC:> Here's a source study for True Cost:
CC:> On Aug 15, 2011, at 9:56 AM, Andrew Hendrickson wrote:
CC:> > Unless the math is faulty, this comic, sent to me by an unnamed
CC:> > colleague, makes an interesting point regarding passwords:
CC:> > http://www.xkcd.com/936/
CC:> > Discuss amongst yourselves, I'll get coffee . . .
CC:> > Andrew Hendrickson
CC:> > CAS, IT Administrator
CC:> > UVM, College of Arts& Sciences
CC:> > 438 College Street #402
CC:> > Burlington, VT
CC:> > 05405
CC:> > 802-656-7971
CC:> > 802-656-4529 (fax)
CC:> > [log in to unmask]
CC:> > To submit a request for service please use:
CC:> > http://footprints.uvm.edu/ashelp.html