• An better idea is to choose long pass phrases – complete sentences, with capitalization and punctuation. Once people realise that they can use, for example, an entire line of a favourite poem or song, memorising it is no longer the issue (although typing it accurately and quickly with only blobs for visual feedback can be challenging!).

    An even better idea, then, is to use your long but memorable pass phrase not directly, but to open a decent password vault which securely stores and effortlessly regurgitates extremely secure and unique generated passwords for every login. Now we’re really getting somewhere! In my experience, the main limitation now relates to web applications that INSIST on us using short, weak passwords (doh!).

    Finally, multi-factor authentication is the preferred option for high security logins, using for example the number from a crypto fob or sent through an out-of-band secure channel such as a cellphone. The most common form of identify theft, other than simply guessing those ridiculously weak passwords or hacking insecure database systems, uses keylogging Trojans. Hackers may hijack and exploit a single authenticated session but should not have unfettered access without ongoing access to the second factor. At least that’s the theory, and yes I am making many assumptions about the quality of the application design and programming, and our resistance to social engineering attacks.

    Kind regards,

    July 13, 2011
  • Gary,

    While what you say is certainly true and matches advice that I have given in the past, I’m a little afraid that you may have missed the point of my post. The point is not to share, yet again, the latest in password choosing advice. It is to analyze specifically-leaked sets of passwords and show the bare minimum necessary to avoid being caught up in one of these leaks. I expect to add length to the mix in the next analysis I do, and that is when I was planning to bring up passphrases and vaults.

    The fundamental problem with passphrases is that once people think they have a “good” password, they tend to use that everywhere so a single weak site can breach it and then attackers can extend the attack everywhere. The password vault suggestion is the solution to that… but not one that typically works well at a business level. Multi-factor is not a good solution for the average person as that is an architectural solution and not a decision that the average person can make.

    July 14, 2011
  • I suspect a lot of people (including myself) use a smaller character set for the sole reason that they don’t want to have to hit the shift key when typing their password. On sites where I can use Password Safe (and its auto-typing feature), I let it generate “really good” passwords; those I have to type manually are restricted to [a-z0-9.].

    July 20, 2011
  • I’m not a big fan of Steve Gibson but Password Padding seems like a good idea.

    September 06, 2011

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.