On 04/17/2011 04:47 PM, Stuart Jansen wrote: > Experience has shown that the majority of people do not want to think > much about security. Instead of pursuing a theoretic, mathematic ideal, > it's time to acknowledge human psychology.
Yes, to acknowledge human psychology, passwords should be usable. Everyone agrees on that. The disagreement is about the right way to make passwords usable. The article [1] that started this thread advocated using word combinations instead of cryptic characters so that it's not necessary to write down passwords. Bruce Schneier, OTOH, said in 2005 that people should write down passwords. [2] A Microsoft representative said that even two-factor authentication is not secure because people tape their PIN to their token device anyway. [3] Bruce's opinion carries a lot of weight in my mind, but I don't think he backed it up with any evidence, so now I'm left hanging. I would like to find studies that try to objectively resolve this simple question: should people write down their password? In any case, my research on this question did lead me to some other interesting ideas, such as the suggestion that every password entry box should include a "show me my password" checkbox. I think that is correct. Shane [1] http://www.baekdal.com/tips/password-security-usability [2] http://www.schneier.com/blog/archives/2005/06/write_down_your.html [3] http://news.cnet.com/Microsoft-security-guru-Jot-down-your-passwords/2100-7355_3-5716590.html /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
