Home » Blogs » Marco's blog

Strong password anyone?

I find this idea from Ka-Ping Yee very compelling.

What if, instead of treating memorability as the constant and strength as the variable, we treat strength as the constant and memorability as the variable? Suppose we have the computer choose a completely random password, to guarantee good password entropy. The phrase-based technique shows that a phrase can be turned into a random-looking jumble of letters and numbers. With a sufficiently large word list and a basic knowledge of grammar, can a computer turn a truly random jumble of letters and numbers into a memorable phrase?

Discussions regarding password length or password complexity are quite common, but Ping introduces a new point of view in the debate about building strong passwords.

Via 7dots, I found this interesting article from Roger A. Grimes, the InfoWorld security adviser. He claims that password length is far more important for security than complexity and that the push from many organizations to adopt complex passwords is worthless.

The problem with [password] analysis is that complexity cannot be guaranteed, and for the most part will be circumvented by your end-users. Whether you give them 94 characters or 65,000 characters to choose from, most will choose to include the same 32 characters.

And because most users also use dictionary words as the root to their “complex” password, and follow other common conventions, a simple hybrid attack will break most of them in less than a day.

There is no easy way to force true password complexity in most environments without a software addition, other than to generate truly random passwords and hand them out to users. They will probably hate you for doing so. […] If you can’t guarantee true password complexity (and you probably can’t) length is your best bet.

Roger has plenty of evidences to support his analysis, nonetheless Ping’s idea could lead to the development of very effective software add-ons aiming to bridge the need for high levels of entropy with the human attitudes toward simplicity.

Each add-on should generate a new truly random password together with an easy to remember passphrase, the latter acting as a mnemonic key to the complex password. For more convenience it’s not necessary to bother the user with fancy symbols and uppercase characters, since choosing from the standard set of 26 lowercase letters and 10 digits can provide more than 5 bits of entropy per character.

Then the only problem left is how to remember each computer generated passphrase for tens of online and offline accounts. On this front Clipperz, as well as 7dots, will have soon something to say …

dilbert

Bookmark/Search this post with:
Submitted by Marco on 25 July, 2006 - 10:42. tags:
»

Easy to remember strong passwords

Submitted by Shawn Cuento (not verified) on 26 January, 2007 - 18:58.

This website http://strongpasswordgenerator.com/ makes strong, random passwords and makes them easy to remember, e.g. it will say:

Your new strong password is: X)ey*93R Remember it as: XBOX ) elvis yellow * 9 3 RADIO

I find it very useful for generating passwords that I can remember, so I’m more likely to use them.

»

Post new comment

The content of this field is kept private and will not be shown publicly.
Captcha
This question is used to make sure you are a human visitor and to prevent spam submissions.
Copy the characters (respecting upper/lower case) from the image.