Thus said Shane Hathaway on Sat, 16 Apr 2011 16:31:16 MDT: > Maybe you're saying we should scare people into using better > passwords, but I suggest people don't react well to being frightened.
Being informed of risks is not the same thing as frightening someone. I I was suggesting that you expose them to the *true* risk of having their account compromised due to insecure passwords. If the risk they incur is merely that someone might obtain access to their private stash of family photos, then they will know how secure to keep their password. And yes, if the system contains high risk material, then I would argue that an extremely difficult password written down on a piece of paper and stored in a wallet is very secure, compared to a weak password policy which allows people to use dictionary based passwords. It all depends on where the system is located, how it is accessed. I don't think there is a universal password policy that applies everywhere. > In particular, I think we humans are very good at handling words, > while we are not as good at handling individual characters. We can't > easily treat our linguistic memory as digital. You might be right on this point. In this case, you should require a minimum of 32 characters, that way people will naturally start using passphrases instead of passwords (you can help saying ``pick a sentence for your passphrase.'' Andy /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
