Thursday, May 5, 2011

Passwords

"Some users will provide their password to a stranger who says he is from their company's IT department."
-Amir Lubashevsky
If you use computers than you'll be asked to supply a "secure" password. When I wrote about this two years ago, I recommended using the initial letters of a phrase like "tbontbtitq" for "To be or not to be, that is the question" as something not found in a dictionary yet easy to remember. Sometimes it is possible to be too clever. When physicist Richard Feynman worked on the Manhattan Project to create the first nuclear bomb, he found that many safes could be cracked at the super-secure site with combinations based upon PI = 3.14159 or e = 2.7182818.

This morning I read an article on baekdal.com that suggests we are looking at passwords the wrong way. Reliable security it argues, comes from password length, not password complexity. Yes complexity helps. A password like "jskerv" with only characters can be cracked in 1 month using brute force. But "J4fS<2" with mixed case, symbols and numbers would take 219 years to crack. The problem with complex passwords is remembering them. A password at the office is defeated if you post it on the wall of your cube.

Baekdal recommends a three word password like "this is fun". A pure brute-force attack for 11 characters would take over 1 million years. An attack combining common words would take over 2000 years, still very secure. If spaces are not allowed in your password, try "this-is-fun".

Since most password algorithms measure complexity, not length, you may find a password like this rated as "weak." And yes a single word from a dictionary with 11 characters would be weak. But not three words. Imagine how many three word sentences exist!

Some passwords require symbols, numbers, etc. I find this annoying and occasionally forget the new password for some bank that requires two numbers or some other pattern different from what I use. This results in keeping a list of passwords which in itself weakens security.

Bottom Line

Find a password that is easy to remember but long and either multi-words or letters taken from some phrase you remember. Can you guess this phrase?  "hb2yhb2y"

Labels: , ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home