Troy Hunt: Bad passwords are not fun and good entropy is always important: demystifying security fallacies. A couple of different friends sent me over a link to an article about The Usability of Passwords this weekend, clearly thinking it would strike a chord.
Well, let’s just say I was enthralled before I even finished the second line: Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice The crux of the article (and subsequent FAQ), is that so long as a password is sufficiently long – the example used is “this is fun” – you’re pretty damn secure (apparently eleven characters is just right).
Actually, the term used was secure forever. This actually sounded alarmingly familiar: Eleven characters are probably above average as far as password length goes, no arguing there. Does a brute force attack really only run at 100 attempts per second? Is "this is fun" really 10 times more secure than "J4fS<2"? Do rainbow tables really work by an attacker copying and pasting a hash into a website? Troy Hunt: Who’s who of bad password practices – banks, airlines and more. Ah, passwords.
Love ‘em or hate ‘em, they’re a necessary evil of the digital age. The reality is we all end up with an alphabet soup of passwords spread over dozens of various sites and services across the internet. Whilst we might not always practice it, we all know the theory of creating a good password; uniqueness, randomness and length. The more of each, the better. Of course we frequently don’t do this because of all sorts of human factors such as convenience, memory or simple unawareness of the risks.
Troy Hunt: Bad passwords are not fun and good entropy is always important: demystifying security fallacies. Troy Hunt: The science of password selection. A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis.
The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused passwords and even when I looked at a totally unrelated system – Gawker – reuse was still very high with over two thirds of common email addresses sharing the same password. But there was one important question I left unanswered and that was how people choose their passwords.
We now know that structurally, passwords almost always adhere to what we would consider “bad practices” but how are these passwords derived in the first place? What’s the personal significance which causes someone to choose a particular password? Source data and analysis process People names Place names. Secure Memorable Passwords. Inspired by XKCD and Password Hay Stacks | Powered by XKPasswd.pm This service is provided entirely for free and without ads, but the server is not free to run.
Please consider making a small contribution towards those costs. The xkpasswd.pm Perl Module This site is powered by the XKPasswd.pm Perl Module, and serves as a good example of its capabilities. The module has been released under the FreeBSD license, so it's completely free to use, even within commercial products, providing the two terms of the FreeBSD license are observed. The module can be downloaded from the author's website: www.bartb.ie/xkpasswd. You’re smart.
You don’t use passwords like the perennial 123456 and qwerty. Or even slightly better ones, like Cassie86 or Cubs1908. Because you put some thought into them, your passwords are better than those, right? Maybe. But unless you avoid a little-known mistake recently uncovered by password researchers, there’s a good chance your passwords will still be far easier for hackers to crack than you think. Can you tell how strong a password is? Zdhkqjbu83 74Xmbgdapw Bmukwes3901! Spoiler: They’re all an easy mark for hackers, even though every one is 9 or more characters long and contains a mix of both letters and non-letters.
Beat the clock How does a hacker get hold of your password? As I explained in Hack-proof your passwords, which I wrote when I was Technology Editor at Consumer Reports, long passwords comprised of a variety of letters, numbers, and special characters can better withstand cracking software than can short, simpler ones. Games users play.