[LINK] Guidance re Passwords

[Craig Sanders]

some comments on your password page at

http://www.rogerclarke.com/II/Passwords.html



I meant to comment when you were asking about passwords a few weeks ago
- the best password is a *LONG* password.  Long (today) meaning 12 or
15 or even 20 characters.  The longer, the better - once upon a time, 8
characters was a reasonably long password.  It's not any more.

And if you're going to have a long password, it's crucial that it be
*memorable*, otherwise you'll forget it, give up, and just use a short
simple password.

You'll see a lot of recommendations for random "line-noise" passwords
that are pretty nearly impossible for most people to remember....they're
bad passwords for that reason alone.  Worse, much worse, they tend to
be 8 characters long or less....which means they can be brute-forced
cracked in less than a day with inexpensive consumer-class hardware (PCs
and GPUs) available today.

Your page already suggests using phrases or acronyms that are memorable
to the user.  It should also recommend that such phrases should be at
least 15 characters long.  Unfortunately, some systems won't allow
passwords that long so use the longest password that it will allow.

Another good method for generating passwords is by picking two or three
(or more) 4-6 letter words and just stringing them together, optionally
with some numbers of punctuation charaters in between them. you can pick
the words randomly (e.g. using a computer, or a newspaper and a dart) or
you can take advantage of your own word-association quirks to help make
the long password easier to remember.

e.g. this was semi-randomly picked from 4-6 letter words in my
/usr/share/dict/words list, with some numbers added to separate
the words.

prior32space94pony

18 characters, quite easy to remember, and far more secure than any 8
character password no matter how many punctuation characters it has.

and once you've typed that password a few times, you'll mentally
associate prior with 32 and 32 with space and so on, so it becomes
easier to remember. you're creating a new word-association for yourself.


to make it even longer, you could use the random words to inspire you -
transform it into something that amuses you (because you're more likely
to remember something amusing). for example

the32ndprioryhasaspace-pony!

28 characters long. even if Moore's Law continues for the next century
or three, unlikely to be brute-force cracked before the heat death of
the universe.

of course, you can use CamelCase or sTUdlYcApS or B!FF/l337 sp3ak,
if you want but the more complicated it becomes the harder it is to
remember...and the general point here is that a long "simple" password
that's *easy* to remember is much more secure than any complicated
password that's hard to remember.


craig

-- 
craig sanders <cas at taz.net.au>

BOFH excuse #403:

Sysadmin didn't hear pager go off due to loud music from bar-room speakers.