Security Corner

Apr 22 2010   1:25AM GMT

Passwords Are Too Complicated

Ken Harthun Ken Harthun Profile: Ken Harthun

What?

You heard me. How many posts and articles are out there about passwords? Put “password” into Google and you’ll get 772,000,00 (isn’t it nice how Google always reports round numbers?) How many “password systems” are out there? Google says 329,000,000. Let’s try “unguessable password”; in that case, we get 2,520 results (in which I have two articles on page one). Now we’re getting somewhere.

But passwords are too complicated a concept for most. After all, Q2@*rr55iN9}, while being an unguessable and virtually uncrackable password, is not very practical unless you use a password manager like LastPass or RoboForm (which I do). How are you going to remember something like that?

Enter the passphrase: Something that is easily remembered, but hard to guess (yes, this has been covered ad nauseam, too). Believe it or not, you can use almost any personal information you want and yet create a virtually unguessable, uncrackable password.

Let’s create an identity for illustrative purposes:

Joe Blow
SS: 323-457-9999
Idaho Driver’s License: B89-345-5555
Dog’s name: Rex
Wife’s name: Wilma

Assuming I’m a social engineer who knows all of this information, am I going to be able to guess this passphrase?

Blow-457RexB89Wilma5555

Nope. And neither will any modern Computer using any brute force algorithm in the lifetime of any entity in this universe. And you can write down a mnemonic for that password easily. Here’s a mnemonic for one of my passwords: Ken and Peggy got married in 1980! You’ll never guess the associated passphrase in a quintillion years, but I know exactly what it is.

As I said, passwords are too complicated. If you want to hide something, hide it in plain view. It’s all about trickery and misdirection.

Want to steal all of my money? Here’s my mnemonic for my main account password: Google Ken’s phone with a nickname.

Passwords are too complicated.

What do you think?

2  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • ToddN2000
    Yes, password strength is a must. Great policy if you make rules and follow them to insure network security. But I have a question on how we can solve our login problem. We have users in the factory who may not be PC literate. There solution is to create a macro for logging on the system. They say they can't remember passwords if they have to change them every 60 days. Any ideas on how to prevent them from using macros for logging in?
    8,215 pointsBadges:
    report
  • Ken Harthun
    Todd, Thanks for your comment. I have to assume that they're already logged on to something if they can even run a macro. Please explain further and I'll be happy to help. The answer to their complaint is to use an easy-to-remember passphrase. "ThisIsMyPassphrase!" is pretty secure and very easy to remember.
    1,150 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: