From Online Security at The Economist:
TWO decades ago only spies and systems administrators had to worry about passwords. But today you have to enter one even to do humdrum things like turning on your computer, downloading an album or buying a book online. No wonder many people use a single, simple password for everything.
Analysis of password databases, often stolen from websites (something that happens with disturbing frequency), shows that the most common choices include “password”, “123456” and “abc123”. But using these, or any word that appears in a dictionary, is insecure. Even changing some letters to numbers (“e” to “3”, “i” to “1” and so forth) does little to reduce the vulnerability of such passwords to an automated “dictionary attack”, because these substitutions are so common. The fundamental problem is that secure passwords tend to be hard to remember, and memorable passwords tend to be insecure.
The solution, say security researchers, is to upgrade the software in people’s heads, by teaching them to choose more secure passwords (see article). One approach is to use passphrases containing unrelated words, such as “correct horse battery staple”, linked by a mental image. Passphrases are, on average, several orders of magnitude harder to crack than passwords. But a new study by researchers at the University of Cambridge finds that people tend to choose phrases made up not of unrelated words but of words that already occur together, such as “dead poets society”. Such phrases are vulnerable to a dictionary attack based on common phrases taken from the internet. And many systems limit the length of passwords, making a long phrase impractical.
An update is ready for installation
An alternative approach, championed by Bruce Schneier, a security guru, is to turn a sentence into a password, taking the first letter of each word and substituting numbers and punctuation marks where possible. “Too much food and wine will make you sick” thus becomes “2mf&wwmUs”. This is no panacea: the danger with this “mnemonic password” approach is that people will use a proverb, or a line from a film or a song, as the starting point, which makes it vulnerable to attack. The ideal sentence is one like Mr Schneier’s that (until the publication of this article, at least) has no matches in Google.