Are we getting our password advice wrong? ...

There is a popular idea that passwords are words; single words, words we can remember. Convention is that they must not be too easy. No associations with the family cat, mother in law or a love long lost. Once we have the word that we can remember, we are encouraged to mess around with it. Website password strength checkers ensure that we add Capitals, num8ers and punctuati_n. For many mortals, like you and I it can be a mega mare.

If you have one preferred word - and we know that you do. You will try out different combinations to make it work.

Your favourite password, like taramasalata can be adapted to:
Taramas_lat4
taraMasa1at_
t@ramAsalat4
... and many other combinations exist - but tell me and think for yourself, is this easy to remember?

We are all, after all creatures of habit. Furthermore we know that many souls will pick a word then simply add digits. This is an easy workaround to the demand from corporate systems security experts that we must frequently change our passwords.

Now taramasalata can become:

Taramasalata_01
Taramasalata_02
Taramasalata_03
Taramasalata_04
etc

You meet the length and strength criteria - the software looks at simple patterns and repetition. As you can see, it is not difficult to fool the programming and create a password sequence that is easy to remember.

Now this is when is sucks - in an ideal world you should use a different password for each system. Yet most people do not. I try to rank my passwords based on my view of how important a service is - which is always from a personal perspective. But, I am sure you may think that I rank my banking above my Facebook account or my email.

Most current hack attacks are using information gleaned from one insecure service as an attack on another. Many online services use your email as a login as a reference point. Many of us use the same email account and also password on multiple services. Once I have accessed one - it does not take considerable effort to try others.

Everyone is so excited about making the world difficult to crack via a dictionary attack (yes, a dictionary attack is using a long word list). Yet we neglect to consider that the most common attacks are brute force based deciphering the resulting encrypted code stolen from a vulnerable password database on another site. So when combined with user laziness as many of us use the same password on multiple sites - hackers are at an advantage.

So - why not encourage passphrases not passwords. Passphrases can be long enough to be complex, yet short enough to be easy to remember. Randall Munroe of XKCD fame has represented this in a very straightforward manner.

Source xkcd.com under a
Creative Commons Attribution-NonCommercial 2.5 License.
So - what should you do? Or more importantly what should we as security professionals and alleged experts be doing to encourage you to create a password?

Instead of a complex single word that you always cheat on - and stick numbers at the end. Should we instead be asking you to give out a single phrase per site? The chances are it will be longer - it will have complexity - dictionary attacks are useless and if you are able to think - it will be considerably easier to remember.

What do you think?


Comments

Popular posts from this blog

Simulation vs emulation vs virtualisation ....

You can't free a fish from water ...

Slow are the wheels that maketh the #Linux NAL ...