Well, maybe. At least that’s what Steve Gibson said in Episode 302 of the Security Now! podcast:
Nothing I’ve ever said about passwords is right. I mean, nothing everyone – anyone thinks. I have got some news. I know it sounds like I’ve lost my mind. But I think I can – I’m working on a new page now which is going to lay it all out and explain it and give people something to play with so they can test passwords using this new scheme. And when you hear it, you’re going to go, oh, my god. Why didn’t anyone ever think about this before?
If nothing anyone thinks about passwords is right, then I must be wrong, too, right?
Steve has been playing with a passcode designer under the premise “Maximal Entroypy, Minimal Length, Maximal Strength.” He says that in the process of working on this, he realized that our concepts of passwords are wrong and he has stamped the page with “obsolete.” He promises to reveal all in Security Now! Episode 303 this week. At the bottom of his passcode designer page, he posts a “post mortem.” Here’s an excerpt:
But after reaching this point, by creating what I thought was right, I realized what was wrong with that approach. What I never expected was what happened next: Unlikely as this sounds, I realized that we (the entire computer industry) have always been thinking about maximum-strength attack-resistant passwords in the wrong way. I realized that the creation of high-entropy passwords was not only often the wrong goal, but was typically counter-productive.
I can’t wait to see what he has come up with.