I use a few of them very frequently, but there are others I only use once per month, or a few times per year.Īnd the more ‘secure’ they make passwords by putting more and more restrictions on, the more necessary they make it for us to write them all down on Post-it notes, or simply forget the password and have to reset it every time I log in, or use the old “what street did you grow up on” method to bypass it. Each of those has its own, often mutually exclusive, restrictions (how many characters, which usernames have already been taken, whether it needs a capital letter, a symbol, which symbols it allows, how many letters in a row, whether it has to start with a letter or number, etc.). I lost count and was still naming more) 30 or 40 different computer accounts, each of which has its own username and password. Unfortunately, it seems that most IT professionals who set guidelines on “strong” passwords forget everything after “used.”Īlso, I was thinking about this the other day – I have at least (i.e. Once a user has moved to a password safe with unique passwords for each site - I did, although setting new passwords on 150 sites proved something of a chore - then their main security issue is the selection of the master passphrase for the vault itself, which is a rather different security analysis.Ī really strong password is one that nobody else has ever used, which you’ll remember without having to write on a Post-It note, and which you’ll never forget and need to have the IT department reset your password so that you can log back in. The rules from various sites about length, strength and character set mean that you can’t use a single generation strategy, sadly, and often eight characters alphanumeric is the upper bound (which isn’t good), but other sites will permit sixteen characters or more, and often those are the more important sites. If you’re using a password safe, then the passwords for the individual websites need not be memorable and can, indeed should, be randomly generated. And in turn, that means that the only workable solution is some sort of password safe. And the only response to that is per-website passwords, to contain the problem to a single compromised domain at a time. The problem is, it’s hard to conjure up a threat model for password on web sites which doesn’t include the risk of either hashed or plaintext passwords being obtained by the attacker. But for picking a strong password, I’d recommend xkcd’s advice and tools like Diceware for generating something easy to memorize and nearly-guaranteed be unique. Other aspects of password management like not using your webmail password at low-security sites and having a strong backup procedure are more important, and Google gets those right.
More complicated advice about password length or using numbers and punctuation just leads to ‘Password1!’ if its not motivated by finding something unusual enough to be globally unique. Given a sentence to give password advice on a billboard, I’d instead say:Ī really strong password is one that nobody else has ever used. at CMU found mnemonic-phrase passwords are a bit better than the alternative, but many people still pick things which are easy to guess. More thorough research by Cynthia Kuo et al. There are about 500,000 more common passwords in the RockYou set-enough that ‘2bon2btitq’ is unlikely to come up in an online guessing attack but not nearly enough to prevent instant cracking if leaked in hashed form. In other words, Google’s advised password is more common than what half of users choose. In the leaked 2009 RockYou dataset, 4 people out of 32,603,387 picked ‘2bon2btitq’ and 5 picked ‘2bon2b.’ The roughly one-in-a-million probability sounds impressive, but it only puts people using these passwords in the 50th and 48th percentiles of security. Their example of a “very strong password” is ‘2bon2btitq’, taken from the famous Hamlet quote “To be or not to be, that is the question”.Įmpirically though, this is not a strong password-it’s almost exactly average! Google’s password advice has appeared on billboards in the London underground and a full-page ad in The Economist. Google recently launched a major advertising campaign around its “ Good to Know” guides to online safety and privacy.
0 kommentar(er)
