Even if it is an easy phrase to remember, you still have to type the damn thing 100x a day.

On Aug 15, 2011, at 10:37 AM, David Houston wrote:

> I saw the original Andrew posted a while back and I actually do have some 
> SAA type techie questions, as that "cartoon" challenged some of what I 
> thought I knew about passwords.  Specifically: is a higher entropy a good 
> thing? And does such a phrase as is used there lead to that?  I poked 
> around a bit and did not find much to indicate that, instead finding the 
> Usual Suspects around what a "good" password should be.  Indeed, that 
> formula does lead one to a state of fogged forgetfulness, as handy phrases 
> like ))otw4%t6u are, sadly, a little tricky to remember.  Sure the phrase 
> itself might be easy, but all those substitutions - not so much.
> 
> So, the SAA techie questions above, and, is a coupled, plain 
> english/letters phrase, a good idea or a bad idea?
> 
> And is there any online "entropy calculator" available?
> 
> 	David Houston
> 	University of Vermont
> 	Phone: (802) 656 2013
> 	**
>        "You are nestled in our hearts forever"
>        **
> 
> 
> On Mon, 15 Aug 2011, Carol Caldwell-Edmonds intoned:
> 
> CC:regarding the PS Ben sent:
> CC:
> CC:from that paper:
> CC:CONCLUSIONS AND A WAY FORWARD
> CC:We have looked in detail at a snapshot of events for a
> CC:sample of password users; but every minute taken in
> CC:unnecessary password use needs to be multiplied by orders
> CC:of magnitude to account for all the password uses even
> CC:within one organisation. This is the true cost of unusable
> CC:password policies. *Against the world-view that "if only
> CC:[users] understood the dangers, they would behave
> CC:differently" [12], we argue that "if only security managers
> CC:understood the true costs for users and the organisation,
> CC:they would set policies differently". We conclude with
> CC:some suggestions for how this might be achieved.*
> CC:Towards Holistic Password Policies
> CC:The vision of a holistic approach for security policies is not
> CC:new; Sasse et al. [16] outlined what such a policy should
> CC:contain. In moving to a holistic approach, there is no single
> CC:ideal policy, as the ongoing debate about writing passwords
> CC:down [12, 17] indicate.
> CC:*Focussing on frequency of password changing, or password
> CC:strength, without considering the user in their context of
> CC:work, is clearly not holistic.*..
> CC:
> CC:So, there's the research, and if we take a data-informed-decision-making
> CC:process seriously, then the role of client services in IT changes from being
> CC:merely the fire rescue team, into the far more professional role of
> CC:intermediary/translator/data collector between the two groups in the
> CC:conclusion: the system administrators, and the users.
> CC:
> CC:Oh, sorry, I'm awake again...it was a nice dream, anyway. Back to the fire
> CC:station.
> CC:
> CC:
> CC:Carol Caldwell-Edmonds, IT Professional Senior
> CC:Enterprise Technology Services: Client Services
> CC:Helpline and Computer Depot Clinic Coordinator
> CC:University of Vermont
> CC:[log in to unmask]
> CC:avatar by Shannon Edmonds
> CC:never take yourself TOO seriously...
> CC:artwork by Shannon Edmonds
> CC:
> CC:On 8/15/2011 10:14 AM, Benjamin Coddington wrote:
> CC:> For the record, I think Scott Adams is the /real/ prophet:
> CC:> 
> CC:> http://dilbert.com/dyn/str_strip/000000000/00000000/0000000/000000/00000/1000/700/1782/1782.strip.gif
> CC:> 
> CC:> Ben
> CC:> 
> CC:> PS
> CC:> Here's a source study for True Cost:
> CC:> 
> CC:> http://www.cl.cam.ac.uk/~rja14/shb10/
> CC:> http://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf
> CC:> 
> CC:> On Aug 15, 2011, at 9:56 AM, Andrew Hendrickson wrote:
> CC:> 
> CC:> > Unless the math is faulty, this comic, sent to me by an unnamed
> CC:> > colleague, makes an interesting point regarding passwords:
> CC:> > 
> CC:> > http://www.xkcd.com/936/
> CC:> > 
> CC:> > Discuss amongst yourselves, I'll get coffee . . .
> CC:> > 
> CC:> > Andrew Hendrickson
> CC:> > CAS, IT Administrator
> CC:> > UVM, College of Arts&  Sciences
> CC:> > 438 College Street #402
> CC:> > Burlington, VT
> CC:> > 05405
> CC:> > 
> CC:> > 802-656-7971
> CC:> > 802-656-4529 (fax)
> CC:> > 
> CC:> > [log in to unmask]
> CC:> > 
> CC:> > To submit a request for service please use:
> CC:> > http://footprints.uvm.edu/ashelp.html
> CC:

Andrew Hendrickson
CAS, IT Administrator
UVM, College of Arts & Sciences
438 College Street #402
Burlington, VT
05405

802-656-7971
802-656-4529 (fax)

[log in to unmask]

To submit a request for service please use:
http://footprints.uvm.edu/ashelp.html