I recently read through Thomas Baekdal’s ‘The Usability of Passwords’, a great piece on the relative strength of passwords under various methods of hacking attacks. (Also check out the updated FAQ!) Rather than seeing mixed case passwords with random symbols as the epitome of secure, we find that, in fact, passwords “can be made both highly secure and user-friendly”.
The 3 common word password ‘this is fun’ can last 2537 years under a common word attack. In contrast, the 6 random character, mixed case, symbol and number password ‘J4fS<2’ only lasts up to 219 years under a brute force attack. Obviously, the difference between them is negligible in practice – how long can such attempts realistically proceed before being noticed and stopped? – but the point is that being forced to use the latter within various IT services is partially unjustified. (I say ‘partially’ because some people would still use ‘god’, one of the top-five most common passwords according to Hackers, if given the opportunity.)
So, really, there’s not too much need for a ‘Ultra High Security Password Generator‘. Yeah, it’s a secure password, but it’s probably more secure in practice to have a random set of words you remember than to require a written down (or typed!) string of 63/64 characters you need to have constantly accessible (read: actually not secure).
Relevant side note: incorporating complex rules for passwords (at least one vowel, up to three digits, two consonants in the second half of the alphabet, two letters that rhyme with but don’t appear within eight places of ‘J’ in the alphabet, &c) actually makes a password less secure because there exist (publicised) rules to limit the iterations needed for cracking. This is why I felt smugly but probably irrationally secure using my original 6-character password for my old Hotmail account years after they revised the password requirements to 8-characters minimum – if it was a password that did not comply with the rules, then it would probably not be attempted. Yeah, I was probably naive, but the account is closed now so w’evs.
A few days ago I was also linked to a PC World article that talked about Google’s new(ish), optional two-step login process. I don’t know why I wasn’t aware of this earlier! The standard authentication model relies on “something you know–and that something is often easily guess[ed], cracked, or otherwise compromised”. Google’s two-step login, however, requires two pieces of information, “both something you know–your username and password–and something that only you should have–your phone”. Every time I go to a new computer and log into Google I have to type my password and also include content from a text message they send to my mobile. On my work and home computers I just need to go through this process again every 30 days – an added security measure just in case I accidentally leave myself logged on at another computer.
A bonus side-effect of this added step is that I can change my Google password to something more fun – like ‘fluffy bunnies’ – and not concern myself with the associated, potential security risks! (Of course, I probably shouldn’t now that I’ve said it publicly. Damn you, blog readers!)
If anyone out there is interested in setting this up, you can find instructions on the gmail blog.
Anyone have annoying password anecdotes to share?