The idea that computer users should use long, complex passwords is one of computer security’s sacred cows and something we write about a great deal at Naked Security.
They need to be long and complex because it’s their length, complexity and uniqueness that determines how difficult they are to crack.
Passwords are the keys to the IT castle and it doesn’t matter how strong your walls are if the lock on the door is easily picked.
They’re of particular interest to people like me because they’re often the one component of a security system whose creation and safety is entrusted to the users of that system rather than its designers and administrators.
And that, unfortunately, is why we have to keep talking about them – users remain stubbornly attached to passwords like 12345 and password that are so bad they can be cracked in less time than it takes to type them.
Spurred on by this obduracy, some computer security professionals spend a great deal of time either thinking about how to explain themselves better or thinking up ways to force users into the correct behaviour.
But what if we’re going about this the wrong way… what if we’re giving out the wrong advice or we’re giving the right advice to the wrong people?
Those are the kind of questions raised by a paper recently released by Microsoft Research entitled An Administrator’s Guide to Internet Password Research.
The authors, Dinei Florêncio, Cormac Herley and Paul C. van Oorschot, contend that “much of the available guidance lacks supporting evidence” and so set out to examine the usefulness of (among other things) password composition policies, forced password expiration and password lockouts.
They also set out to determine just how strong a password used on a website needs to be to withstand a real-world attack.
Their conclusion is that creating strong passwords is wasted effort a lot of the time.
They suggest that organisations should invest their own resources in securing systems rather than simply offloading the cost to end users in the form of advice, demands or enforcement policies that are often pointless.
To understand their conclusions we need to look at the difference between online and offline attacks.
Online attacks occur when someone attempts to log in to a website by guessing someone else’s username and password using that site’s standard login page.
Of course, most attackers don’t sit there manually entering guesses – they use computer programs that can work day and night and enter guesses at a far higher rate than any human being could.
These cracking programs know all the popular passwords (and how popular they are), have huge lists of dictionary words they can consult, and know the tricks that people use to obfuscate passwords by adding funny ch@ract3rs.
Any system that’s online can be subjected to an online attack at any time and such attacks are easy to perform and very common.
However, online attacks are also subject to a couple of natural limits. Even on extremely busy websites like Facebook, the amount of traffic generated by users who are trying to log in at any given moment is relatively small, because most users aren’t trying to log in most of the time.
Attackers cannot subject a system to too many guesses because of the amount of activity their attack generates. An attacker sending one guess per second per account would likely generate thousands or even tens of thousands of times the normal level of login traffic.
At the very least this would be enough to attract the attention of the site’s maintainer but it could also easily be enough to overwhelm the website completely.
Similarly, an over-zealous effort to crack one individual’s account is likely to attract the attention of the site’s maintainers and any automatic IP address blocklisting software they’ve used. Individual accounts are also, typically, not very valuable and simply not worth the attention and cost of millions of guesses.
This natural rate limiting also means that online attacks don’t become more deadly as computers get faster – it doesn’t matter how many guesses an attacker can make in theory because of the throttling effect of the target.
Finally, attackers must contend with the fact that as the number of password guesses they make increases, the frequency at which they guess successfully drops off dramatically.
...an online attacker making guesses in optimal order and persisting to 106 guesses will experience five orders of magnitude reduction from his initial success rate.
Sooner or later the costs outweigh the benefits and it’s just not worth attacking that system any more.
The authors suggest that a password that’s targeted in an online attack needs to be able to withstand no more than about 1,000,000 guesses.
...we gauge the online guessing risk to a password that will withstand only 102 guesses as extreme, one that will withstand 103 guesses as moderate, and one that will withstand 106 guesses as negligible ... [this] does not change as hardware improves.
One million guesses might sound a lot but even a very short, randomly generated five character password like 03W3d would likely survive.
The research also reminds us just how much more resilient a website can be made to online attacks by imposing a limit on the number of login attempts each user can make.
Locking for an hour after three failed attempts reduces the number of guesses an online attacker can make in a 4-month campaign to ... 8,760
Offline attacks are in a different league entirely though.
03W3d might go uncracked for months in a real-world online attack but it could fall in the first millisecond (that’s 0.001 seconds) of a full-throttle offline attack.
Offline attacks occur when someone steals, buys or otherwise finds themselves in possession of a website’s password database.
With the database in an environment that the attacker can control, the shackles imposed by the online environment are thrown off.
Now the attacker can throw the kitchen sink at your passwords.
Offline attacks are limited by the speed at which attackers can make guesses and that means it’s all about horsepower.
So how strong does a password need to be to stand a chance against a determined offline attack? According to the paper’s authors it’s about 100 trillion:
[a threshold of] at least 1014 seems necessary for any confidence against a determined, well-resourced offline attack (though due to the uncertainty about the attacker's resources, the offline threshold is harder to estimate).
Luckily, offline attacks are far, far harder to pull off than online attacks. Not only does an attacker have to get access to a website’s back-end systems, they also have to do it undetected.
The window in which the attacker can crack and exploit passwords is only open until the passwords have been reset by the site’s administrators.
Of course, once they’ve gained access it’s possible that an attacker won’t need to perform an attack at all.
Passwords should be stored using repeated hashing algorithms like PBKDF2, bcrypt or scrypt.
That’s because password hashing systems that use thousands of iterations for each verification don’t slow down individual logins noticeably, but put a serious dent (a 10,000-fold dent in the diagram above) into an attack that needs to try 100 trillion passwords.
But the history of website data breaches suggests that’s often not done.
The researchers used a data set drawn from eight high profile breaches at Rockyou, Gawker, Tianya, eHarmony, LinkedIn, Evernote, Adobe and Cupid Media. Of the 318 million records lost in those breaches, only 16% – those stored by Gawker and Evernote – were stored correctly.
If your passwords are stored badly – for example, in plain text, as unsalted hashes, or encrypted and then left with their encryption keys – then your password’s resistance to guessing is moot.
To understand the difference between online and offline attacks it’s helpful to see the numbers side-by-side.
|Scenario||Guesses a strong password must withstand|
Not only is the difference between those two numbers mind-bogglingly large, there is – according to the researchers at least – no middle ground.
In the region from 106 to about 1014, improved guessing-resistance has little effect on outcome.
...incrementally increasing the number of guesses the password will survive delivers little or no security benefit.
In other words, the authors contend that passwords falling between the two thresholds offer no improvement in real-world security, they’re just harder to remember.
What this means for you
The conclusion of the report is that there are effectively two kinds of passwords: those that can withstand one million guesses, and those that can withstand one hundred trillion guesses.
According to the researchers, passwords that sit between those two thresholds are more than you need to be resilient to an online attack but not enough to withstand an offline attack.
Users, they suggest, should shepherd their resources wisely and focus on high value sites.
User effort available for managing password portfolios is finite. Users should spend less effort on password management issues ... for don't-care and lower consequence accounts, allowing more effort on higher consequence accounts.
Systems administrators, they say, should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen.
The password strength meters and policies provided by systems administrators don’t work and putting the burden on users by asking them to create passwords long enough to withstand offline attacks is wasted effort – they simply won’t do it in large enough numbers.
...attempts to get users to choose passwords that will resist offline guessing, e.g., by composition policies, advice and strength meters, must largely be judged failures...
Zero-user-burden mechanisms largely or entirely eliminating offline attacks exist, but are little-used...
Demanding passwords that will withstand offline attack is a defense-in-depth approach necessary only when a site has failed both to protect the password file, and to detect the leak and respond suitably.
If systems administrators did all that properly, they say, then you and I could happily stay secure with nothing more than a short pin code for each website.
Unfortunately there’s no way for you to tell the good sites from the bad ones – do you know if the website you’ve just used stores its passwords in plain text or uses keyed hash functions? And if they told you, would you believe them?
As a user, the only part of a security system you know anything about for sure is the bit you create, namely your password. Your password choice might not strengthen a weak system but it can certainly weaken a strong one.
The bottom line
Concentrating your efforts on the sites that really matter sounds like a good idea, except that it stirs new complexity into the mix: how to decide where to draw the line between “important” and “lower consequence” accounts.
Fortunately, you can bypass the authors’ notion of a ‘fixed time-effort’ budget by using a password manager.
That way, you no longer need to differentiate your lower consequence accounts: you can simply treat all your accounts as important.
With a password manager, the effort involved in generating and storing an extremely strong password is exactly the same as the effort needed to create a weak password.
Alternatively, you might decide that an almost zero-effort password manager churning out incredibly strong, random passwords is for your lower consequence accounts and that you want to create and memorise the really important ones yourself.
If you want to roll your own then our video will tell you how to pick a proper password – one that will withstand the most brutal offline attack.
(Don’t forget that if you do use a password manager, you will need a really strong password for the password manager itself.)
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
Image of short password courtesy of Shutterstock.
49 comments on “Do we really need strong passwords?”
I made a two part blog post about the same topic. Your article misses one key thing: the use off pasword managers
You’ll find password managers mentioned under the heading ‘The bottom line’
An interesting take on passwords.
But passwords are not just to prevent (malicious) “real-world attacks”, they are also to enable adequate identification and authentication of a user.
If I am putting journal entries through my employer’s accounting system or updating the personnel and payroll system, he would really like to be sure who is doing it. My password therefore should be strong enough that a colleague cannot guess it, the system must be isolated from “real-world attacks”, and company procedures must ban the sharing of IDs.
Typically this is managed through “workstation sign on” screens (i.e. before the password manager comes up) so the ID/password has to be complex enough not to be guessable, simple enough to remember but not so hard to remember that it gets written on the proverbial post-it note (watch the video).
Alternatively how easy is it to “doctor” a laptop or workstation so that it will only log on when (and stay logged on while) a particular Corporate ID card is within say a metre of it? If that could be cracked have we then “evaporated the user problem”? Compulsory wearing of ID cards then becomes the issue!
There’s a big difference between creating a password that your colleague cannot guess, and one that a computer cannot guess within 1,000,000+ attempts.
There is a better chance that somebody will figure out where you wrote your passwords down then they have of guessing which weak password you used. In fact, you’d probably have an easier time figuring out where they wrote the password down then what the password means when you see it.
“In fact, you’d probably have an easier time figuring out where they wrote the password down then what the password means when you see it.”
Hence the reason to use a password manager. If you only need to remember one password (to open the password database), then there’s really no reason to write it down, is there?
The big problem is password reuse. If some site’s database is compromised, and your password is found, it’s only a really big deal if you’ve been using that password on other sites as well. What’s particularly difficult is convincing a user that sticking different digits on the end of a password doesn’t make it materially different.
Definitely agree on reuse.
However, putting random digits (and punctuation) at random points in a password using a word makes the PW quite a bit safer than just the word. ho4u.r is definitely safer than just the word hour. (I’m only using a short word only for an example.)
Putting two 4+ character words together, with punctuation in-between, and semi-random digits, caps, and punctuation starts to become difficult to crack.
Back to my example, using 2 words hour and spool (hourspool) isn’t so good. But, ho4u.r-sp.o7ol, while using the same words, is pretty strong. Each word has 2 semi-random characters emplaced, and there’s a punctuation mark between the words. I’m thinking it meets the 100 trillion test, yet is easier to remember than a random PW.
I’ve even put a pattern into that PW to make it easier to remember: the 3rd and 5th characters in the first word are random, and the 3rd and 5th from the end of the second word are also random.
Best bet, though, if a person can’t remember, is a PW manager.
So if the website is the “real” weak link here, then there has to be an opportunity for some kind of “kite mark”, or even compulsory certification, which assures the user that the the password handling is audited and passes a suitable standard?
I agree. There has to be an opportunity for a voluntary certification system where an outside trusted party verifies how you’re storing your passwords and issues you a certificate. Even better was if web browsers had a way of displaying an icon on a certified site as they do for https.
And, internally to your company, passwords should also meet the same test the authors of the paper suggest: It can’t be cracked by the first x million attempts using a cracking tool (i.e. with dictionary words and leetspeak included in that million).
I agree completely. Only one company I’ve worked for actually had me crack users’ AD passwords. Of course I found the usual Ab12345, Passw0rd, etc. (password complexity as set by policy to require one upper and one lower case, either a number or special character and had to be at least seven characters long). It took me a little over an hour and a half to crack all but three accounts (including service accounts) in a 5000+ user environment. I even cracked my own password, which was actually a passphrase (three words, but a common enough phrase).
A quick way to check a site’s password security is to go through the “forgot password” process right after you create your account. It is a bad sign if they email your password to you because that means they are storing/encrypting it instead of hashing it. Better is if they email you a link to a page where you can set your new password. Even better is when that link can’t be reused. And so on.
I think this article makes an important point.
Say I create an encrypted container file of files and store them on a USB stick which is lost. The attacker can subject that encrypted data to automated attack, tens of thousands of attempts per second, dictionary attacks then brute force. For these files to remain secure they probably need the >8 characters, upper + lower + number type password.
But as you point out, a website or network can easily force a lock out after 5 failed attempts. Do I really need such a complex password on this occasion? If I avoid ‘password’ or ‘qwerty’ etc, say something like yyg56, isn’t that sufficient?
Surely more is achieved by implementing the 5 attempt lockout and/or things like robust procedures for resetting passwords rather than demanding over the top passwords.
I tend to agree with Brianetta – for logins, re-use of passwords is a bigger issue than password entropy.
Pass phrases are a much better way to go than a single “password”. A passphrase can be long enough to provide the entropy required but easy to remember.
Pass phrases are technically passwords there is no difference. Just bigger character limit and probably spaces allowed witch is not big deal nowadays
Exactly. I proved this myself, see my comment above.
What about techniques that dramatically increase the work needed to crack offline passwords like PolyPasswordHasher?
I’m surprised this wasn’t mentioned. Is this because it is a server-side protection?
We did mention that it’s a good idea to increase the work needed to crack each offline password, though we only mentioned what we thought were the best-known current techniques (PBKDF2, bcrypt and scrypt).
Mark, you are touching on an area that I think is key to this whole debate. The whole password thing is plain wrong headed. We need to get rid of passwords, not encourage further password diversity. One possibility is to only have one password and then use single sign on technologies to access all your websites of interest. We are already seeing this with Facebook or Google login access. A website that uses such a system has no need to store a password at all.
Of course it means that Facebook and Google need to be ultra secure with their password infrastructure, but I think this will prove to be safer than relying on small sites getting their security right.
However because companies like Facebook, Google and others will refuse to deal with each other because of competitive issues, we will see the rise of specialist 3rd party password companies that will provide independent single signon services. Someone like Lastpass is ideally positioned to do this.
I think I already have the environment you propose: LastPass with a very secure master password, the most complex and lengthy passwords possible for each site requiring logon credentials, and a second factor when possible.
But these types of technologies need to protect privacy. The information hoovers would love to cross-correlate the various websites that you have signed on to.
It would definitely be an issue. However I think it should be solvable though. Whatever happens the current password system is doomed, it simply doesn’t scale in the way that works.
Great article and video. I’m not a propeller-head and I completely understood everything. While there are “low-lives” out there, we all must have more than a passing interest in security technology.
In an attempt to brainstorm the IT systems security issues, has the concept of the “password” as we know it out lived its usefulness?
The security needs to be at least a 2-stage approach where what can be hacked is only half the story. The user needs to have a coded external device that must synchronise with the PC or the system’s security is just un-hackable rubbish.
The external device could be something like the digipasses that some banks use, where the synchronising code is only valid for about 30 seconds before you’re back to un-hackable rubbish and a new code is required.
Perhaps this has already been done or can’t be done. My point is we need to be thinking outside the 9 dots for security. When the average home PC becomes capable of 128-bit processing or greater huge password strings using the current approach will be easily hackable.
The best-known 2-stage (two-factor authentication) systems at the moment are probably:
Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords. We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Rather off-topic, but your metaphor may be inaccurate – there’s a lot of evidence that early hunting peoples could, and regularly did, run down horses and other ungulates on foot. There are a number of evolutionary factors involved, mainly surrounding our superior cooling systems, which allow us to keep on running for longer with shorter recovery periods. Speeds may be lower in the short term, but over a number of days a really fit (and hungry) human can catch up, and then easily take down the poor exhausted horsey. Note that by this point you may be quite far away from your cave, fire and fellow tribesmen.
Bringing us back on topic, I’m sure that some of our other evolutionary advantages could come into play here, perhaps our massive brainpower and the culture and technology we have developed – I’m sure you’re right that if we can just come up with the right system, there will be a way to make our brains out-think those pesky password-cracking computers.
I’ve finally settled on a password system that I can personally live with. My biggest issue is that password requirements are not standardized. Some systems require this length, others that; some require symbols, others reject symbols; some require you change your password every X days, others don’t.
Using a pass phrase system mnemonic system, I can easily keep track of my (exceedingly strong) personal passwords without writing them down or otherwise compromising them, but I can’t do that if I’m forced into some sort of system that thwarts or alters my system.
The Change Requirement is the biggest thorn. Where used, it forces me to change my otherwise perfectly unique, perfectly secure, and perfectly remembered password with something new. What choice have I but to write it down? It is insane.
Question: If a password of 5 random characters is strong enough to survive 1 million guesses (online attack), how many random characters must a password have to survive 100 trillion guesses (offline attack)? This wasn’t highlighted in the article above.
Further to this, and more for academic curiosity, if a password was made up of dictionary words (eg. correcthorsebatterystaple), how long would it need to be to survive 1 million guesses and 100 trillion guesses?
Assuming 68 characters available (26 letters, 10 digits, 10 special chars on the digits, 11 other keys with two specials each, as on my keyboard at the moment), a 13-character string will allow combinations in the x10^14 range. 5 gives around 10 million, or just under 14m if you allow repeats.
For words, using a very minimal estimate of vocabulary size of 20,000 words (see http://testyourvocab.com/blog/2013-05-10-Summary-of-results), just 2 words allows for around 200 million combos, depending if you have repetition. 4 words is in the x10^15s, well over 100 trillion possible combos.
At least, that’s assuming the fun calculator at http://www.mathsisfun.com/combinatorics/combinations-permutations-calculator.html works properly.
Of course, there’s a big difference between “my password’s one of 100 trillion possible ones” and “it’ll be the last of 100 trillion guesses” – this especially applies to words, as any sane cracker tool would weight words according to how likely people are to know and use them.
Forgot that letters can be upper or lower case, so actually 94 possible chars on my keyboard and only 11 needed to give 100 trillion combos.
Neither bit of maths is going to make me change the “length” option on my password generator below 15 though 🙂
Thanks for the analysis!
It’s worth noting that the authors actually said *at least* 100 Trillion guesses and that there are factors they can’t account for.
Also password cracking gets better as hardware improves and whilst it’s possible to make cracking programs work harder by doing things like iterating hashes hardware is improving faster and you want your password to be in the “impossible to guess” range for a while.
Finally, as you say, you want to be nearer the 100 Trillionth guess than the 1st and guesses aren’t done in random order.
Whilst putting up a number like 100 Trillion is useful for scale there’s a danger that being precise creates the illusion of being accurate.
“Of course, there’s a big difference between “my password’s one of 100 trillion possible ones” and “it’ll be the last of 100 trillion guesses””.
And that’s the part that’s almost always ignored, forgotten or just unrealized by the majority of people. Your “complex” password may be cracked in under a nanosecond if it’s the first one tried.
sorry but 100,000,000,000,000 is 100 billion (bi million if you will)
The Americans had:
million = 10^(3 + 1*3)
billion = 10^(3 + 2*3)
trillion = 10^(3 + 3*3)
The British had:
million = 10^(1*6)
billion = 10^(2*6)
trillion = 10^(3*6)
I think it is fair to say that having two meanings for these terms, especially given inflation, was always going to be troublesome, and so one form would conquer the other.
The Americans won.
Indeed, since “mille” means 1000, you can argue that the American system is slightly more logical, but that doesn’t matter.
I would probably write “100 million million,” just to be fair to non-Anglophones who have the word “milliard” for 10^9 and “billion” for 10^12. But when I do that, people say, “Why didn’t you just write 100 trillion?” You can’t win 🙂
Very useful article. I think everyone agrees that passwords should never be stored in any way that it can be decrypted again, it should be a one-way hash algorithm. But even for the hash, if it would include a serious iteration that would cost a modern processor still at least one second or so to execute, it would slow the hacker down for years to come, even if they obtain the database with password data. But a valid user will still be acknowledged within seconds.
In my humble opinion personal attacks are still profitable for hackers if a hacked account would provide access to money some way or the other (401K or PayPal info etc). The dangers are then in the “recover password” option that is offered almost everywhere. How safe is my email that the “reset” link is sent to? Can a hacker trigger the reset and intercept the message? How safe are the “secret questions” if a site uses that? I caught my 10 year old on the phone the other day with some “game show host” trying to guess where his dad was born and my son asking me so he could give the correct answer. How many times does it take before they finally have enough answers for the secret questions?
While thinking about this article and the paper, I realized there’s a very important point: Laptops and tablets should be considered “needs higher security”. The reason is that a laptop stolen (or otherwise obtained) by a crook has given the crook infinite time to crack. This is because the drive can be removed and the security database cracked using whatever tool they need.
This would apply to most systems which have a chance of giving physical access to a crook, not just laptops and tablets. But, because portable systems are so prevalent, companies have to apply the stronger PW requirements to any account which is used with a portable system.
Indeed. And in that particular scenario passwords are no barrier at all unless the drives are also encrypted.
Good point. All bets are off when we give up physical access.
And if we do encrypt, we STILL need to have a strong password. Brute-forcing anything less than 10 not-strong characters is almost trivial with the right hardware and/or software. At 10 strong characters things start to get difficult for the hacker. Enough to drop one’s laptop off the edge of being “low hanging fruit”, anyhow.
But, if your business has any real chance of attracting the attention of the bad guys, the encryption PW strength needs to be taken to the next level. Software and even hardware is cheap enough now that it’s not a large barrier to entry into the hacking arena. A company trying to steal a patent design isn’t going to be working with script-kiddie equipment.
Ok.. let’s do the math (using an average laptop):
– If your password is a 6-character common word, then it is EASY to remember but it can be cracked (using a “common words” attack) in LESS THAN 3 MINUTES.
– If your password is a 6-character uncommon word, it is still EASY to remember but it still can be cracked (using a “dictionary” attack) in LESS THAN 3 MINUTES.
– If your password is a 6 random characters and numbers, then it is a bit more DIFFICULT to remember and it can still be cracked pretty easily, (using a brute-force attack) in approximately 8 MONTHS.
– If your password is a 6 random characters with mixed case, numbers and symbols, then it is DIFFICULT to remember and it is hard to crack, (using a brute-force attack) approximately 200 YEARS.
– If your password is a 3 common words separated by white spaces, then it is EASY to remember and almost impossible to crack, (using a “common word” attack) more than 2.500 YEARS.
That’s not mathematics, it’s arithmetic, and I don’t think you have the calculations quite right.
For a start, you are assuming that the time taken to crack any password is constant. (See the article, and the one it links to about “storing password securely”, for why.)
And the use of three common words as a password is nowhere near as safe as you’re saying. If we assume that a well-educated person has a vocabulary of about 20,000 words, and that about 10% of those can be considered “common” (2000 words), then there are only 2000x2000x2000 possible three-common-word passwords. That’s 8 billion. On the other hand, there are about 64^6 possible 6-character passwords made of [A-Za-z0-9] and some punctuations. That’s close to 80 billion. So the three-word password is about ten times weaker than the 6-character random one, not ten time stronger as you suggest.
And therein lies the problem: the assessment of password complexity (or “entropy”, meaning the extent to which it is unpredictable) is quite complex!
Leaving aside Paul’s analysis, I am not convinced for other reasons.
I, and many of our readers, don’t need to remember a password, I need to remember hundreds of passwords.
That means I need to remember hundreds of combinations of 3 or 4 common words. For me that’s well beyond what’s possible so as a problem it’s as unsolvable as remembering hundreds of combinations of random characters.
Also the chances of me creating hundreds of combinations of real words that are genuinely random seems highly unlikely. Humans just aren’t good at that so I prefer to let a computer program choose my passwords.
Since memorable passwords aren’t actually memorable at this scale I might as well go with passwords of equal length that are true, random combinations of characters because collectively they are no more difficult to remember and they are very likely to be much harder (and certainly no easier) to crack.
Aside from that the technique relies on a pattern and patterns are what the people who write password cracking programs want you to use. They start with the most common passwords and obfuscation techniques. I want my passwords to be secure for several years and since this is both popular and relies on a pattern it seems like a technique that, were I trying to crack passwords efficiently, I would be paying a lot of attention to.
Having a password of at least 6-8 characters, with at least a upper case letter, a number a special symbol is a pattern as well.
We recommend more than 6-8 characters (or four “unusual” words if you like the correcthorsebatterystaple approach).
My retirement savings account is behind a 6 digit numerical password. There are a couple security questions too. Should i be concerned?
It depends on a few things.
A 6 digit numerical password is perfectly able to withstand an online attack if there’s rate limiting. Are you shut out if you get it wrong three or four times?
It won’t stand up to an offline attack for long though.
The best thing to do is to treat your security questions as extra passwords – don’t answer them correctly, answer them with random 14 character strings of letters, numbers and wacky characters and store them in a password manager.
I never thought of using security questions as passwords in that way, but knowing me won’t help you figure out my security questions at all. According to my security questions, I was brought up in the Aleutian Islands, I must have been hatched there because I have no mother to get her maiden name from, I attended school in Tibet, etc. (And these are only examples of ideas used for my answers, they’re not the actual answers. It would be pretty stupid to post the real answers here, almost as dumb as writing them down on the bottom of my keyboard…)
I always laugh when IT guys try to mock end users and our supposedly weak passwords. Nobody is going to sit at my computer and try 17 million passwords. They only way they can crack my password is if they steal a password file from you IT guys and attack it offline. In others words, its your failure to keep the network secure, not my password, that is the weak link. Own up, you IT guys – you need us users to have strong passwords to make up for your inadequacy!
That’s a good point – although even if your IT guys get things right much more than they get them wrong, it’s still a good idea to have a decent password.
Firstly, if you expect them to go the extra mile just in case, why not do the same yourself and together go the extra mile-squared?
Secondly, there are good reasons for a decent password that apply regardless of IT.
You make things much harder for shoulder surfers, for example, which is something the IT guys can’t control.
And remember that not all offline attacks depends on data stolen from IT: if you have an Android phone, say, and someone steals it, they may be able to mount a dictionary attack against the encrypted volume on your device without needing data stolen from anywhere else.
Search engine optimisation is a weird industry,
because the work is very technical it is best done by
people who have learnt the industry and have industry experience, this can be quite rare with internet
Are you active on any social sites?