Password Suggestions

From Online Security at The Economist:

TWO decades ago only spies and systems administrators had to worry about passwords. But today you have to enter one even to do humdrum things like turning on your computer, downloading an album or buying a book online. No wonder many people use a single, simple password for everything.

Analysis of password databases, often stolen from websites (something that happens with disturbing frequency), shows that the most common choices include “password”, “123456” and “abc123”. But using these, or any word that appears in a dictionary, is insecure. Even changing some letters to numbers (“e” to “3”, “i” to “1” and so forth) does little to reduce the vulnerability of such passwords to an automated “dictionary attack”, because these substitutions are so common. The fundamental problem is that secure passwords tend to be hard to remember, and memorable passwords tend to be insecure.

The solution, say security researchers, is to upgrade the software in people’s heads, by teaching them to choose more secure passwords (see article). One approach is to use passphrases containing unrelated words, such as “correct horse battery staple”, linked by a mental image. Passphrases are, on average, several orders of magnitude harder to crack than passwords. But a new study by researchers at the University of Cambridge finds that people tend to choose phrases made up not of unrelated words but of words that already occur together, such as “dead poets society”. Such phrases are vulnerable to a dictionary attack based on common phrases taken from the internet. And many systems limit the length of passwords, making a long phrase impractical.

An update is ready for installation

An alternative approach, championed by Bruce Schneier, a security guru, is to turn a sentence into a password, taking the first letter of each word and substituting numbers and punctuation marks where possible. “Too much food and wine will make you sick” thus becomes “2mf&wwmUs”. This is no panacea: the danger with this “mnemonic password” approach is that people will use a proverb, or a line from a film or a song, as the starting point, which makes it vulnerable to attack. The ideal sentence is one like Mr Schneier’s that (until the publication of this article, at least) has no matches in Google.

 

About Scot McKnight

Scot McKnight is a recognized authority on the New Testament, early Christianity, and the historical Jesus. McKnight, author of more than forty books, is the Professor of New Testament at Northern Seminary in Lombard, IL.

  • gingoro

    Multifactor authentication would help. For example something that you know ie the password and something that you have eg a fob that generates (pseudo) random numbers that the system also can calculate. Other possibilities are finger print readers or retinal scans. A mathematical operation that is normally invalid can be used to calculate at least part of a password eg average your house number and your year of birth.
    DaveW

  • phil_style

    without giving away any passwords….

    I have a unique password for every different site/ thing and I never (seldom) forget any of them.

    I have a simple formula in my head that I use to generate a password in each case . The formula is always the same, but it generates a unique password every time. And it’s easy if I forget the password – all I need to know is the formula.

  • Jon

    or you can just use 1password and have it remember all your completely randomized, long, secure passwords. http://www.agilebits.com I’m not affiliated, just love their product.

  • http://restoringsoul.blogspot.com Ann F-R

    My husband has worked in IT for 30+ years, and our son is graduating w/ a BSc in Computer Science. We’ve talked about passwords & strength and how many folks have fallen for complexity over length. Our son sent us this comic which illustrates exactly the problems & ease of hacking/not to which the article refers: https://www.xkcd.com/936/

  • AHH

    Here’s my favorite comic about passwords:
    http://dilbert.com/strips/comic/2005-09-10/

    This article seems to assume that the only threat is passwords being guessed by a computer program. But there are other threats, like people who write their passwords down because corporate requirements make them choose something so convoluted they can’t remember it (and/or make them change it too frequently). Or people getting their unencrypted laptops or flash drives lost or stolen.

  • Jeremy

    Came here for the XKCD comic and the article AND Ann followed through. Passwords are a pain, but random words in multiples are great! I do, however,tend to issue random character passwords because that’s what people expect (and I love hearing the groans of despair! (; ).

  • Kyle

    In the vein of what Phil’s alluding to, a site-specific password could be generated by alternating front and back letters in the site URL with a standard number, such as a birthday, and basic arithmetic. So, Amazon with a birthday of 12/9/85 and addition would be a+1 (b), n+2 (p), m+9 (v), and so on, with endless combinations using this basic template.

  • Ben Cheney

    Another option is using software like Password Safe: http://passwordsafe.sourceforge.net/

    Mnemonics such as Schneier’s are a good idea. Just as importantly, ensure that you don’t re-use passwords, especially on sites such as your bank or email account. Those sorts of services should have completely unique passwords you don’t use anywhere else.

  • http://www.dry-bones-valley.blogspot.com Rob Dunbar

    I use LastPass instead of 1Password, and in the past I’ve used KeePassX because it is cross-platform (so is LastPass now). My master password is based on a combination of car models and years and the sequence in which I owned them. Beats simple stuff like my anniversary, DL# or birthday–all of which can be found out. I also like the pipe symbol in my passwords, since most people haven’t a clue what it is.

  • Kokkee Ng

    I choose a favorite book and use the initial letters of the author, title, date, etc for passwords. Easy for me to remember and I think pretty secure esp when the book is not the current bestseller.

  • http://spirit-cry.com/ Cameron

    I take a favourite hymn from my hymn book (not telling which one!) and use a set combination of the initials of words of the first line and the hymn number. If I need stronger security I will use the second, fourth and sixth words with predefined punctuation marks mixed in.

    This explains why I start singing every time I log on somewhere.


CLOSE | X

HIDE | X