Saturday, August 25, 2007

Your password is too short.

Forget complex passwords, you can't remember them- so you write them down (and lose the note). Besides, they are not that hard to break anyway. I won't bore you with all of the math* , but a really long passphrase will be more secure and easier to remember than a short, complex password. (Unless you use something lame like "p@ssw0rd", which is easy to remember and will be cracked by any viable dictionary attack).

This isn't just a hairbrained idea of mine, check out Mark Burnett's comments in this "Contrary Wisdom from Syngress Authors" video:
The whole clip is good, but did they have to leave Bruce looking like that?

Another thing, it is OK to write down your passwords. Just not on yellow stickies on your monitor- treat them like money, keep them in a safe place and destroy the old note when you change passwords.


* Alright, here's the basic math-
number of possible characters(length of password).

Assuming 62 possible characters for a simple set (a-z, A-Z, 0-9), and 94 for a full set with punctuation and other special characters- your eight digit "complex" password has 948 or 6.09568939 × 1015 possible passwords. A "simple" alphanumeric twelve digit password is significantly stronger with 6212 or 3.22626676 × 1021 possible combinations. Simply using a long nonsense phrase (no quoting Shakespeare or Darth Vader here, please) with all lower case letters and a space (to make it readable) results in a 27 character set; at sixteen digits we get 2716 or 7.97664431 × 1022 possible passwords, stronger than either of the above.