It seems like we continue to write our authentication applications using the same old techniques that are less secure for a number of reasons. First let me explain what I mean by old techniques.
- Your password must have at least one upper case letter
- Your password must have at least one lower case letter
- Your password must contain at least one special character
- Your password must contain at least one number
- Your password must be at least 8 characters long
Sound familiar. We just seem to keep copying this montra, even though it has proven to not be very secure against modern hackers with GPU (Graphical Processing Units) on machines as cheap as a laptop.
So, what’s wrong with them? They are hard to remember so we don’t like to change them very often, and we sometimes write them down because we forget them. They are short making it easier to brute force attack.
It has long been recommended that we use a passphrase in place of the above criteria. A passphrase of 6 or more words is much harder to crack. I’m not saying it is impossible. It just takes more time. What makes it more secure is the fact that a phrase is easier to remember; you don’t write it down, and you can change it more often.
I could use a phrase like “On Monday I am going to the bank.” That has nothing to do with anything. I don’t even have to go to the bank. But I can remember that for a week. In those situations where a password is shared this method is much more useful.
Today I was directed to www.diceware.com as a tool for generating pass phrases. It is more random and perhaps harder to remember. But the power of the pass phrase is there to make it harder to crack.
Is it time to get off the old style password? Leave your comments here or drop an Email to btaylor@sswug.org.
Cheers,
Ben