Recently I attended a conference about security. One of the speakers was giving steps for improving security. When he got down to the topic of passwords he said that password length is more important than complexity. And that's entirely correct.
But then he said that the best approach was to take a thesaurus and find four random words. Combine those four words together and voila! You then have a strong password.
Well, pulling four random words from a thesaurus might create a long password to resist one type of attack known as a brute force attack, but it doesn't address other types of password attacks. And that approach doesn't address the bigger problem with passwords.
And what problem is that? It's how to manage all these long passwords.
If you create a long password of RhinocerosTelevisionFriarPrincipal, that's OK for one account. But what about for all of the other accounts that require unique passwords? Would you then have to memorize SnoreGondolaCheeseHope for that other account? And then remember CashierFrameComposerElastic for a third account? And MellonReportWalletNest for yet another account?
Do you see the obvious problem? We can use a thesaurus to create long passwords all day long--but we cannot remember all of them. And having a different password on each account is absolutely essential; that's because if an attacker were to uncover the password to one account then she would have the master key to unlock all of your accounts.
So typically users create one password and use it on multiple accounts, or make very minor changes to it (the password WhistleApplauseInjuryCarriage on one account becomes WhistleApplauseInjuryCarriage2 on another account). But changing a single character or even a handful of characters from password to another variatio of it doesn't give any real protection.
The real solution, in my opinion, is not to focus on how to create long passwords. The focus should instead be on using a password manager that can easily store and retrieve strong passwords on demand. That way we don't have to try to remember the password AngelTheatreResearchSignature (and which account it goes with). Instead, I can memorize one very strong password that is used to open my password manager. Then I can create even stronger passwords like bC&@Z]u\EpXbdmF>9'C;*$Y for each account, store them in my password manager, and pull them out whenever I need to.
Right now I have 291 different accounts that all have unique passwords. How do I know that? Because I have all of the account information and passwords I use stored in my password manager (the open source password manager KeePass is my favorite). So I don't try to memorize passwords like ScorpionPublicityCaffeineFleet times 291. I just have one super-strong password that I remember for opening my password manager, and then all 291 unique password are there.
So, the conversation should not be on just making long passwords. Rather, the focus needs to be on password management.
Instead of creating and using PasswordManagerIsEssential for a password, let's instead just practice it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.