April 8, 2013

Strong passwords? Yes, but let's not get carried away

By Lynn Evans

I'm getting a bit tired of over-the-top advice about strong passwords. Of course, we all need to keep our passwords secure. But a lot of what tech journals and websites write about the subject is exaggerated and alarmist - and often counter-productive.

Take this recent article in PC World magazine. Amongst some otherwise sensible advice, it urges us to

" … make sure [the password] contains at least ten characters, and includes a mix of uppercase and lowercase letters as well as numbers and symbols. A letters-only password, however, can still be secure as long as it's at least 20 characters long."

Let's first dispose of the arithmetic error in the above statement. Assuming there are 32 symbols on the keyboard, that means there will be 94 characters available for the password (52 upper- and lowercase letters, ten digits and 32 symbols). For a ten-character string, that would give 5.3 times ten to the power of 19 possible combinations. To get a similar number of combinations for a string of 26 (lowercase) letters, you would only need 14 characters, not 20.

OK, I admit that's a purely arithmetic issue - not one that affects the main argument. But consider this. A ten-character string containing letters, digits and symbols would take exactly the same effort to crack as one containing only lowercase letters - provided the would-be intruder didn't know that. Given that we're trying to defend against a brute-force attack, the bad guys would still need to try every combination of characters, even if you know that you're only using letters.

Over the top

But even that argument is not all that relevant. The main reason I think the advice is over the top is that no secure website or service would ever allow a brute-force attack in the first place. Just try entering an invalid password a few times into your bank's login screen. Chances are you'll be locked out after the third or fourth attempt. And you'll have to jump through several hoops before you'll be let back in.

The idea of an intruder trying billions of combinations in turn, with the bank patiently accepting every failed attempt - well, that's just ludicrous.

Of course we must be careful in choosing our passwords. But let's keep things in proportion. It's surely better to use a relatively straightforward (but non-obvious) word or phrase that you can easily remember, rather than an obscure combination of letters, digits and symbols - one that you will probably have to write down for fear of forgetting.

No comments:

Post a Comment