Our Terrible, Horrible, No Good, Very Bad Password System

It has a heck of a year for password/password hash disclosures. the same week in June, millions of password hashes disclosed from LinkedIn, eHarmony and Last.fm. And in same week in July, more than 450,000 usernames and unencrypted passwords were reportedly stolen Yahoo Voice, while 420,000 password hashes were leaked as a of an attack on the social networking site, Formspring. These events have a lot of attention to the issue of password security.

particularly interesting breach occurred right the end of 2011. Anonymous released over 800,000 password hashes with personal information and credit numbers from Stratfor. Stratfor writes popular analyses of current geopolitical , and most large companies have a few employees have created accounts them.

There is a engine of the Stratfor data available online which you can input your company's domain and obtain a list of employees who associated their work address with their Stratfor account and subsequently their password hash disclosed. Two questions immediately come to when you see these search results: Did any of those employees use a password Stratfor that they also use their corporate network? If so, have all of those passwords changed?

I have no that we will see more password compromises the future. Passwords are the oldest security control that have, and they are probably the understood. It would be nice to imagine that these breaches result in the universal adoption of two-factor authentication technologies, or at least password vaults, those changes are not going to happen everywhere both economic and usability reasons. The fact that passwords are here to stay, and it is to get serious about modernizing the approach that corporations to password security.

We need to abandon passwords in of passphrases.

Today's passwords are too short. Two years ago, the Georgia Tech Research Institute argued that any password shorter 12 characters was easily broken with a PC and graphics processor. Passwords that are than 12 characters aren't really passwords anymore -- they are passphrases, and we should start calling them so users understand what they should be to protect themselves.

Many of the password rules that systems are enforcing can be counterproductive. Forcing users to include a combination of random capitalizations and special characters passwords hard to remember, leads people to adopt common character substitutions that satisfy the requirements adding security.

Password expiration has the same , prompting users to adopt poor practices such regularly incrementing a number the end of their password. The worst password rule that I ever encountered is maximum length. Enforcing a short maximum password length is to result in bad security consequences. It also the transition to passphrases impossible.

We need to rid of almost all of the password rules that we enforce today except one -- minimum length. We need to set the minimum lengths higher, and encourage users create passphrases instead of passwords. Combinations of four or more randomly chosen, unrelated English words are often more secure than short passwords and much easier remember, as as they aren't full of random character substitutions.


Adapted and abridged from: technewsworld.com, July 18, 2012.