Monday, May 23, 2005

Stop using Passwords, Use Pass Phrases!

Do you hate remembering all those freaky passwords, if possible meeting password complexity requirements? I do. There are about 10 passwords I have to remember/change on regular basis, not speaking the ones I use for Blogger, my Hotmail, Gmail etc...
While surfing the web I found an interesting article on Robert Hensing's Blog. He recommends using Pass-Phrases instead the password of 7 or more letters and numbers. (If using less you're hackable in a sniffs time)
What are according to Robert the advantages of using Phrases?
1. They meet all password complexity requirements due to the use of upper / lowercase letters and punctuation (you don't HAVE to use numbers to meet password complexity requirements).
2. They are so freaking easy for me to remember it's not even funny. For me, I find it MUCH easier to remember a sentence from a favorite song or a funny quote than to remember 'xYaQxrz!' (which b.t.w. is long enough and complex enough to meet our internal complexity requirements, but is weak enough to not survive any kind of brute-force password grinding attack with say LC5, let alone a lookup table attack). That password would not survive sustained attack with LC5 long enough to matter so in my mind it's pointless to use a password like that. You may as well just leave your password blank.
3. I dare say that even with the most advanced hardware you are not going to guesss, crack, brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password).
Want to know more? Read it here.

No comments:

Post a Comment