1994-07-03 - Re: Password Difficulties

Header Data

From: smb@research.att.com
To: Derek Atkins <warlord@MIT.EDU>
Message Hash: 9ce4cdf00322b1a73e8aa466255f5dd6e12bbe6c90629d4f3fe419e507307381
Message ID: <9407032349.AA28389@toad.com>
Reply To: N/A
UTC Datetime: 1994-07-03 23:49:16 UTC
Raw Date: Sun, 3 Jul 94 16:49:16 PDT

Raw message

From: smb@research.att.com
Date: Sun, 3 Jul 94 16:49:16 PDT
To: Derek Atkins <warlord@MIT.EDU>
Subject: Re: Password Difficulties
Message-ID: <9407032349.AA28389@toad.com>
MIME-Version: 1.0
Content-Type: text/plain

	 I'm not a touch typist (although I am also not quite a hunt-and-peck
	 typist, either).  And using only about 6 fingers (well, I am counting
	 both thumbs in this count, and sometimes I use my other fingers as
	 well) I have no problems typing in my long (40-50 char) pass phrase!

	 However, I am a computer geek (well, I prefer to be known as a nerd,
	 but I have Nerd Pride, so... ;-) Anyways, I have a feeling that
	 Steve's testing was done with non-computer-geek-type people.  I.e.,
	 secretaries, managers, and high-up muckety-mucks.  Is this true,
	 Steve?  What was your sample space in your research?

My tests were informal.  The target was mostly taken from the sci.crypt
readership -- I don't deal much with management...

The initial tests were on passphrases of lengths from 12 to 20, as I
recall.  The phrases were created by chosing random words from
/usr/dict/words -- and the resulting pass-phrases were exceedingly
weird, which may have contributed to folks difficulty in typing them.
Not that the scores were bad, but they weren't great.

Access was by telnetting to a special port (or was it a special login?
I forget).  All and sundry are welcome to participate.

Anyway, I never had a chance to follow up, since I was distracted by
the book I was writing.  That's done, and I'm getting back to research
(though I'm thinking of starting another book this fall...).  Rerunning
the experiment, using longer passphrases, is high on my list; there's
some chance I'll be getting to it this summer, along with a student
who's working for me.  (We're currently working on another project of
interest to this audience; the paper will be available for ftp when
it's ready, though that's still a couple of months off.)

			--Steve Bellovin

P.S.  For the record -- I've been a touch typist for >30 years, as
appalling as that number sounds.  And secretaries are likely to be
*better* typists, not worse.  My concern for folks typing ability
was just that:  concern.  We don't *know*.  We do know that lots of
folks aggressively pick bad passwords; it isn't at all clear to me
if the problem is typing, memory, or both.  Passphrases will tend
to exacerbate both problems.