Cengage Technology & Computing Blog
Showing results for 
Search instead for 
Did you mean: 
PasswordManagerIsEssential
Mark_Ciampa
Valued Contributor
‎08-05-2017 06:56 PM
‎08-05-2017 06:56 PM

Recently I attended a conference about security. One of the speakers was giving steps for improving security. When he got down to the topic of passwords he said that password length is more important than complexity. And that's entirely correct.

 

But then he said that the best approach was to take a thesaurus and find four random words. Combine those four words together and voila! You then have a strong password.

 

Well, pulling four random words from a thesaurus might create a long password to resist one type of attack known as a brute force attack, but it doesn't address other types of password attacks. And that approach doesn't address the bigger problem with passwords.

 

And what problem is that? It's how to manage all these long passwords.

 

If you create a long password of RhinocerosTelevisionFriarPrincipal, that's OK for one account. But what about for all of the other accounts that require unique passwords? Would you then have to memorize SnoreGondolaCheeseHope for that other account? And then remember CashierFrameComposerElastic for a third account? And MellonReportWalletNest for yet another account?

 

Do you see the obvious problem? We can use a thesaurus to create long passwords all day long--but we cannot remember all of them. And having a different password on each account is absolutely essential; that's because if an attacker were to uncover the password to one account then she would have the master key to unlock all of your accounts.

 

So typically users create one password and use it on multiple accounts, or make very minor changes to it (the password WhistleApplauseInjuryCarriage on one account becomes WhistleApplauseInjuryCarriage2 on another account). But changing a single character or even a handful of characters from password to another variatio of it doesn't give any real protection.

 

The real solution, in my opinion, is not to focus on how to create long passwords. The focus should instead be on using a password manager that can easily store and retrieve strong passwords on demand. That way we don't have to try to remember the password AngelTheatreResearchSignature (and which account it goes with). Instead, I can memorize one very strong password that is used to open my password manager. Then I can create even stronger passwords like bC&@Z]u\EpXbdmF>9'C;*$Y for each account, store them in my password manager, and pull them out whenever I need to.

 

Right now I have 291 different accounts that all have unique passwords. How do I know that? Because I have all of the account information and passwords I use stored in my password manager (the open source password manager KeePass is my favorite). So I don't try to memorize passwords like ScorpionPublicityCaffeineFleet times 291. I just have one super-strong password that I remember for opening my password manager, and then all 291 unique password are there.

 

So, the conversation should not be on just making long passwords. Rather, the focus needs to be on password management.

 

Instead of creating and using PasswordManagerIsEssential for a password, let's instead just practice it.

 

2 Comments
TDaughtrey
Commentator

See this story in yesterday's (7 August 2017) WALL STREET JOURNAL: "The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!"

 

The latest (June 2017) NIST guidance is at https://pages.nist.gov/800-63-3/sp800-63b.html

 

Taz Daughtrey   Instructor   Central Virginia Community College   Lynchburg, Virginia

https://centralvirginia.edu/Programs-Classes/Science,-Technology,-Engineering,-and-Math/Cybersecurit...

 

Mark_Ciampa
Valued Contributor

Taz:

   Thanks for the link to the WSJ article.  It is correct that a long password is better than a short password, even if that short password contains a complex mix of characters.  But to have long passwords that are unique for each of my 291 different accounts still would make it impossible for me to remember more than a handful--and then I'd be tempted to repeat those passwords on multiple accounts, which is a violation of one of the most important rules for passwords.  The only real solution is to not rely on my memory; instead, I use a password manager to store and retrieve all of my passwords.

 

   And the next time you see Corinne Hoisington on campus tell her I said hi!

 

Mark