The Strong Password Dilemma

Excerpt from Chapter 6 of
Authentication: From Passwords to Public Keys
ISBN 0-201-61599-1
Copyright © 2002 Addison-Wesley.

This paper was also published as an article in CSI’s Computer Security Journal, Summer 2002.

NOTE: This is being ‘ported’ to the blog environment, so parts will coexist with the older site.

This paper consists of the following sections:

• Strong Password Policies ­ wherein we look at how the accumulated wisdom of the computer security industry has yielded a set of impractical requirements
• Passwords and Usability ­ wherein we compare the mandates of strong password security against computer usability standards and what we know of human memory skills.
• Dictionary Attacks and Password Strength ­ wherein we establish a strategy for assessing how well passwords can withstand a trial-and-error attack in practice. This section introduces the terms base secret and average attack space.
• Forcing Functions and Mouse Pads ­ wherein we examine how people adapt to the demands of automated systems that try to enforce the use of strong passwords.
• Reference Notes ­ wherein we point to the sources of various facts we present here, acknowledging that not all of the authors would necessarily agree with the conclusions derived here.