Security Corner

May 30 2011   8:00AM GMT

Everything I’ve Ever Said About Passwords is Wrong?

Ken Harthun Ken Harthun Profile: Ken Harthun

Well, maybe. At least that’s what Steve Gibson said in Episode 302 of the Security Now! podcast:

Nothing I’ve ever said about passwords is right. I mean, nothing everyone – anyone thinks. I have got some news. I know it sounds like I’ve lost my mind. But I think I can – I’m working on a new page now which is going to lay it all out and explain it and give people something to play with so they can test passwords using this new scheme. And when you hear it, you’re going to go, oh, my god. Why didn’t anyone ever think about this before?

If nothing anyone thinks about passwords is right, then I must be wrong, too, right?

Steve has been playing with a passcode designer under the premise “Maximal Entroypy, Minimal Length, Maximal Strength.” He says that in the process of working on this, he realized that our concepts of passwords are wrong and he has stamped the page with “obsolete.” He promises to reveal all in Security Now! Episode 303 this week. At the bottom of his passcode designer page, he posts a “post mortem.” Here’s an excerpt:

The Passcode Designer is based upon the concept of generating maximal-entropy, maximal-strength, and minimal-length passcodes by encouraging a high number of “transitions” between the four character “classes” where the classes were the uppercase alphabetic (A-Z), lowercase alphabetic (a-z), the ten digits (0-9) and the 33 printable special symbol characters (!\”#$%&'()*+,-./:;<=>?@[\\]^_`{|}~). The interactive graphical JavaScript-driven state machine at the top of this page was the beginning of the development of that concept. (It is fully functional, finished, and works as intended.)

But after reaching this point, by creating what I thought was right, I realized what was wrong with that approach. What I never expected was what happened next: Unlikely as this sounds, I realized that we (the entire computer industry) have always been thinking about maximum-strength attack-resistant passwords in the wrong way. I realized that the creation of high-entropy passwords was not only often the wrong goal, but was typically counter-productive.

I can’t wait to see what he has come up with.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: