From: smb@research.att.com
To: Derek Atkins <warlord@MIT.EDU>
Message Hash: 9ce4cdf00322b1a73e8aa466255f5dd6e12bbe6c90629d4f3fe419e507307381
Message ID: <9407032349.AA28389@toad.com>
Reply To: N/A
UTC Datetime: 1994-07-03 23:49:16 UTC
Raw Date: Sun, 3 Jul 94 16:49:16 PDT
From: smb@research.att.com
Date: Sun, 3 Jul 94 16:49:16 PDT
To: Derek Atkins <warlord@MIT.EDU>
Subject: Re: Password Difficulties
Message-ID: <9407032349.AA28389@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
I'm not a touch typist (although I am also not quite a hunt-and-peck
typist, either). And using only about 6 fingers (well, I am counting
both thumbs in this count, and sometimes I use my other fingers as
well) I have no problems typing in my long (40-50 char) pass phrase!
However, I am a computer geek (well, I prefer to be known as a nerd,
but I have Nerd Pride, so... ;-) Anyways, I have a feeling that
Steve's testing was done with non-computer-geek-type people. I.e.,
secretaries, managers, and high-up muckety-mucks. Is this true,
Steve? What was your sample space in your research?
My tests were informal. The target was mostly taken from the sci.crypt
readership -- I don't deal much with management...
The initial tests were on passphrases of lengths from 12 to 20, as I
recall. The phrases were created by chosing random words from
/usr/dict/words -- and the resulting pass-phrases were exceedingly
weird, which may have contributed to folks difficulty in typing them.
Not that the scores were bad, but they weren't great.
Access was by telnetting to a special port (or was it a special login?
I forget). All and sundry are welcome to participate.
Anyway, I never had a chance to follow up, since I was distracted by
the book I was writing. That's done, and I'm getting back to research
(though I'm thinking of starting another book this fall...). Rerunning
the experiment, using longer passphrases, is high on my list; there's
some chance I'll be getting to it this summer, along with a student
who's working for me. (We're currently working on another project of
interest to this audience; the paper will be available for ftp when
it's ready, though that's still a couple of months off.)
--Steve Bellovin
P.S. For the record -- I've been a touch typist for >30 years, as
appalling as that number sounds. And secretaries are likely to be
*better* typists, not worse. My concern for folks typing ability
was just that: concern. We don't *know*. We do know that lots of
folks aggressively pick bad passwords; it isn't at all clear to me
if the problem is typing, memory, or both. Passphrases will tend
to exacerbate both problems.
Return to July 1994
Return to “smb@research.att.com”