Interesting, thanks.

But the online ones I do find all go the exact same route with the minimum 
requirements, and in fact usually will not allow the one in the cartoon - 
correcthorsebatterystaple - to be entered at all, even when UC/lc is added 
in.  So it begs the quesstion for me at least: does such a phrase really 
mean a stronger password?  Or is better to use the (unrememberable) 
confusion of things, rendering the aforementioned phrase into, perhaps, 
C0rr3cth0r5eBattery5taple!#.  

	David Houston
	University of Vermont
	Phone: (802) 656 2013
	**
        "You are nestled in our hearts forever"
        **


On Mon, 15 Aug 2011, Sam Hooker intoned:

SH:
SH:On 20110815 10:37 , David Houston wrote:
SH:> I saw the original Andrew posted a while back and I actually do have some 
SH:> SAA type techie questions, as that "cartoon" challenged some of what I 
SH:> thought I knew about passwords.  Specifically: is a higher entropy a good 
SH:> thing? And does such a phrase as is used there lead to that?  I poked 
SH:
SH:Higher entropy[1] is a good thing inasmuch as "higher entropy", in this
SH:case, represents more randomness*, and we're playing a game of numbers,
SH:here. Whereas historical password-quality recommendations were designed
SH:only to minimize the chances that a human would guess the secret, modern
SH:secrets must be difficult for computers to "guess". This basically comes
SH:down to lowering the likelihood that a process (running on one or more
SH:computers) will match the secret as it iterates through some algorithm.
SH:In other words, we're not *preventing* an automated process from coming
SH:up with the secret, just rendering it as unlikely as possible.
SH:
SH:* Go ahead: Argue about what "randomness" means.
SH:
SH:
SH:So, basically, you pick a reasonable-seeming "guess rate" (Randall chose
SH:1000/sec; arbitrary), assign an entropy value to each aspect of the
SH:password (between 0.6 and 1.5 bits per letter, a bit for each property
SH:like "capital or not", a bit for "four vs. A", a bit for the ordering of
SH:a tuple, three bits for "a random digit between 0 and 9, etc.), tot it
SH:all up, and do the math.
SH:
SH:
SH:> So, the SAA techie questions above, and, is a coupled, plain 
SH:> english/letters phrase, a good idea or a bad idea?
SH:
SH:I'm in favor of anything that realistically helps each user maintain
SH:secrets with higher entropy. If that means passphrases rather than
SH:passwords, awesome.
SH:
SH:
SH:> And is there any online "entropy calculator" available?
SH:
SH:There appear to be several. Insert standard caution against inputting
SH:one's NetID password into foreign websites, here. ;-)
SH:
SH:
SH:Cheers,
SH:
SH:-sth
SH:
SH:[1] hate to go to Wikipedia, but there it is:
SH:http://en.wikipedia.org/wiki/Entropy_%28information_theory%29
SH:
SH:--
SH:Sam Hooker | [log in to unmask]
SH:Systems Architecture and Administration
SH:Enterprise Technology Services
SH:The University of Vermont
SH:
SH:
SH:> On Mon, 15 Aug 2011, Carol Caldwell-Edmonds intoned:
SH:> 
SH:> CC:regarding the PS Ben sent:
SH:> CC:
SH:> CC:from that paper:
SH:> CC:CONCLUSIONS AND A WAY FORWARD
SH:> CC:We have looked in detail at a snapshot of events for a
SH:> CC:sample of password users; but every minute taken in
SH:> CC:unnecessary password use needs to be multiplied by orders
SH:> CC:of magnitude to account for all the password uses even
SH:> CC:within one organisation. This is the true cost of unusable
SH:> CC:password policies. *Against the world-view that "if only
SH:> CC:[users] understood the dangers, they would behave
SH:> CC:differently" [12], we argue that "if only security managers
SH:> CC:understood the true costs for users and the organisation,
SH:> CC:they would set policies differently". We conclude with
SH:> CC:some suggestions for how this might be achieved.*
SH:> CC:Towards Holistic Password Policies
SH:> CC:The vision of a holistic approach for security policies is not
SH:> CC:new; Sasse et al. [16] outlined what such a policy should
SH:> CC:contain. In moving to a holistic approach, there is no single
SH:> CC:ideal policy, as the ongoing debate about writing passwords
SH:> CC:down [12, 17] indicate.
SH:> CC:*Focussing on frequency of password changing, or password
SH:> CC:strength, without considering the user in their context of
SH:> CC:work, is clearly not holistic.*..
SH:> CC:
SH:> CC:So, there's the research, and if we take a data-informed-decision-making
SH:> CC:process seriously, then the role of client services in IT changes from being
SH:> CC:merely the fire rescue team, into the far more professional role of
SH:> CC:intermediary/translator/data collector between the two groups in the
SH:> CC:conclusion: the system administrators, and the users.
SH:> CC:
SH:> CC:Oh, sorry, I'm awake again...it was a nice dream, anyway. Back to the fire
SH:> CC:station.
SH:> CC:
SH:> CC:
SH:> CC:Carol Caldwell-Edmonds, IT Professional Senior
SH:> CC:Enterprise Technology Services: Client Services
SH:> CC:Helpline and Computer Depot Clinic Coordinator
SH:> CC:University of Vermont
SH:> CC:[log in to unmask]
SH:> CC:avatar by Shannon Edmonds
SH:> CC:never take yourself TOO seriously...
SH:> CC:artwork by Shannon Edmonds
SH:> CC:
SH:> CC:On 8/15/2011 10:14 AM, Benjamin Coddington wrote:
SH:> CC:> For the record, I think Scott Adams is the /real/ prophet:
SH:> CC:> 
SH:> CC:> http://dilbert.com/dyn/str_strip/000000000/00000000/0000000/000000/00000/1000/700/1782/1782.strip.gif
SH:> CC:> 
SH:> CC:> Ben
SH:> CC:> 
SH:> CC:> PS
SH:> CC:> Here's a source study for True Cost:
SH:> CC:> 
SH:> CC:> http://www.cl.cam.ac.uk/~rja14/shb10/
SH:> CC:> http://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf
SH:> CC:> 
SH:> CC:> On Aug 15, 2011, at 9:56 AM, Andrew Hendrickson wrote:
SH:> CC:> 
SH:> CC:> > Unless the math is faulty, this comic, sent to me by an unnamed
SH:> CC:> > colleague, makes an interesting point regarding passwords:
SH:> CC:> > 
SH:> CC:> > http://www.xkcd.com/936/
SH:> CC:> > 
SH:> CC:> > Discuss amongst yourselves, I'll get coffee . . .
SH:> CC:> > 
SH:> CC:> > Andrew Hendrickson
SH:> CC:> > CAS, IT Administrator
SH:> CC:> > UVM, College of Arts&  Sciences
SH:> CC:> > 438 College Street #402
SH:> CC:> > Burlington, VT
SH:> CC:> > 05405
SH:> CC:> > 
SH:> CC:> > 802-656-7971
SH:> CC:> > 802-656-4529 (fax)
SH:> CC:> > 
SH:> CC:> > [log in to unmask]
SH:> CC:> > 
SH:> CC:> > To submit a request for service please use:
SH:> CC:> > http://footprints.uvm.edu/ashelp.html
SH:> CC:
SH:
SH: