Passphrases

This was from a little while back, but I hadn't got around to posting it yet. Dan Kaminsky offering a different view of passwords:

"You know what's amazing about passwords? They totally work," Kaminsky said. "The fundamental 'win' of a password over other technologies is its utter simplicity and mobility."
An easier way to make passwords more secure, Kaminsky said, is to mandate 12-character passwords, but make them all lowercase letters so users can create passphrases that are long but easy to remember. Increasing the length of passwords and thereby making them harder to crack is critical, he added, but it has to be done in a way that doesn't overly tax the human memory. 
He certainly brings up a good point. The problem may not be passwords, but bad passwords. And why do we get bad passwords? The same reason we get single passwords used across multiple systems or people using their birthdays as PIN numbers - "Password1" or "P@ssw0rd" is easier to remember that "w4dHu92#".

But will passphrases change that? It will involve a seismic shift in mindsets and many users having to 'unlearn' what they've been told previously. The 'passphrase' movement has been around for a while and the first reaction from users when you say "Now your passwords have a 12 character minimum" is generally not positive - even if you do away with the complexity requirements. People already forget their passwords with alarming regularity, I'm not sure if passphrases will be must easier to remember.

Passphrases have their limitations too - they don't help with password reuse, and won't stop a user changing "fourscoreandsevenyearsago" to  "fourscoreandsevenyearsago1" on their next passphrase change.

But I do agree with Dan that passwords work better than we probably give them credit for, and maybe passphrases will work a even better.

0 Response to "Passphrases"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme