[cap-talk] Do Strong Web Passwords Accomplish Anything?
Karp, Alan H
alan.karp at hp.com
Wed Jul 22 11:40:30 EDT 2009
Rob Meijer wrote:
>
> I thus feel that the 3 strikes approach is bad, at least for 'user'
> accounts.
>
Three strikes is bad, but 9 strikes is quite good. A study published in "Usability and Security" shows that after a first failed attempt, only 30% got their password right with two more tries, but over 90% got it within the next 8. (Statistics from memory :( That means you need more than 20 bits of entropy, but 24 should be sufficient. Slowing down the retries also helps.
>
> An alternative approach that I think would be preferable would be using
> such an approach combined with a separation of 'user' (admin) account and
> 'access' (sub) account.
>
I'm concerned that the admin account will be used rarely making its password more likely to be forgotten.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list