[olug] (no subject)

Christopher Cashell topher-olug at zyp.org
Wed Nov 7 07:49:22 UTC 2012 

On Tue, Nov 6, 2012 at 9:07 AM, Hurley, Rod <RHurley at tenaska.com> wrote:
> Honestly folks, I am so used to using complex passwords (numbers, special chars, caps, 8+ chars) over the years that it doesn't even phase me anymore.  When a user complains that they can't use Autumn12, I educate them on how to remember complex passwords.  (IF you don't use a pw vault like a lot of us.)

It's good that you can remember your complex passwords, but I'd argue
strongly that complex passwords are the wrong solution.  We need to
move away from passwords and towards passphrases.  They provide a more
secure and more "user friendly" solution.

See: http://xkcd.com/936/

Best bit: "Through 20 years of effort, we've successfully trained
everyone to use passwords that are hard for humans to remember, but
easy for computers to guess."  Bruce Schneier (famed cryptographer,
security guru, and author of Applied Cryptography, also endorsed the
XKCD scheme: http://www.schneier.com/blog/archives/2012/09/recent_developm_1.html)

When it comes to password security, there are two aspects that you are
trying to protect against: someone guessing or "deriving" your
password, and someone "brute force" cracking your password with a
tool.  There's a quasi-third aspect, regarding the security of your
(presumably hashed) password in the event that a password database is
stolen, but that one generally isn't worth considering because the
security of it is almost entirely dependent on the specifics of the
implemented security (not your password itself).

For the first aspect, you protect yourself by using a password that is
non-obvious (don't use "password" or "12345"), and not directly tied
to you (don't use your birthday, your child's birthday, your
anniversary, your name, your children's names, your pet's names, etc).
 Selecting something of sufficient length will also protect you
against this.  Making it a traditional complex password often reduces
the security, as you are more likely to write it down, especially if
you don't use it daily.

For the second aspect, password length will trump special characters
very quickly.  An attacker doesn't know anything about what special
characters you might, or might not, use.  Therefore, they have to try
everything (unless you use something short and/or they have a matching
entry in rainbow tables).  At that point, longer is better.  Much
better.  Stop thinking about a biglongsinglewordwithrandomcharacters,
and make your password a passphrase.  Use multiple words.  They can
even be "real" words (without funny characters), and still be very
secure.  Just making it a complete sentence gives you mixed case and
punctuation, significantly enhancing the entropy of your password.

For comparison, Dan posted the excellent reference to the grc.com
password strength calculator (https://www.grc.com/haystack.htm),  and
noted his "20-character passwords like this "AvZo$I1mjmZ#c at e6vDxw"
that would take "11.52 thousand trillion centuries" to crack."

That's definitely good security, but it'd take me forever to remember
such a horrifying password, which means I have to look it up
constantly.  As an alternate approach, I could use a passphase
sentence like, "My password sucks less!".  According to the same brute
force resistance analysis that Dan used, this password would take
"7.66 hundred million trillion centuries" to crack.

I could type a password like Dan's 20 times, and still have to look it
up.  I've only typed mine twice, and I bet I could remember it a month
from now without entering it again.  Not only that, but while my
password has 3 more characters than Dan's, I'd be willing to bet cash
that I can type it faster and with fewer mistakes than Dan can type
his. ;-)

Both passwords are extremely secure from being cracked (or guessed),
but one is much more memorable and typeable.

Note: Someone brought up sites/tools that truncate passwords.  If the
password is truncated to 8 characters or less, then the only security
aspect mentioned above you need to worry about is protecting your
password from someone guessing it.  If someone is able to run any sort
of effective brute-force attack against it (something that isn't
artificially rate-limited), an 8 (effective) character password, no
matter what the 8 characters are, should be considered compromised.
Luckily, sites and applications that do silly (stupid) things like
this are steadily becoming rarer.

--
Christopher

More information about the OLUG mailing list