![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
(no subject)
Jun. 5th, 2006 02:46 pmThis is a somewhat interesting service: http://www.passwordchart.com/
The idea is this: it is much easier for a human to remember a phrase and a word than to remember a strong password (like Nr$u9m4$u6LPbBf76.) However, most systems are designed to take a single "word" of fixed length (usually 7-16 characters.) Unfortunately, given those relatively short password lengths, such systems are easily brute-forced unless the password contains multiple character sets (e.g. upper & lowercase letters, numbers, and symbols.)
This site lets you enter a phrase & word and get a strong password based on it. There are two basic ways you could use this:
1.) Print out the chart, and memorize simple passwords for all the sites you use. When you need to log into one, use the chart to translate your memorized password ("squid") to a strong password ("j8I48+64*7f7".)
2.) Write down simple passwords for all the sites you use. When you need to log into one, go to passwordchart.com and enter the word & your passphrase, then copy and paste the strong password into the site. The disadvantage here is that you're vulnerable to "shoulder surfing" -- anyone looking at the screen sees your password.
However, I think the existence of this site is indicative of a larger problem -- technology has reached a point where the password is no longer a strong method of authentication. It's simply too easy today to just try them all. An 8-character alphanumeric password has a keyspace of only 2.9 trillion keys; that used to be insurmountable, but now can be easily cracked in a matter of days (or hours) on a common home PC (which can handle about 10 million passwords/sec.) Thus, passwords have to include multiple cases of letters, plus symbols -- this can bring the keyspace up to 6.1 quadrillion keys, which defeats cracking on a single home computer. However, even that keyspace is searchable on parallel supercomputers in a reasonably short time -- while it's fine for keeping people out of your web email, it's not so fine for protecting company secrets from a competitor or industrial spy.
Once your password looks like a#7%494f78Kg337h, it's hard to crack, but harder to remember. The other problem is that passwords tend to be re-used by people once they find one they like. Thus, if a username and password works at one site, it probably works at many others -- this is the principle behind AccessDiver (not that that will be obvious from its website, which pretends it's a "security tool" and not a tool for hacking into websites, which it is.)
At this point, though this isn't the security conventional wisdom by any means, I don't think strong passwords are particularly important. Having a password is far better than having no password, but a strong one doesn't go that much further in protecting you. If someone can get a hold of the password file (i.e. they've compromised some site you have an account on), they can extract your password, given enough time -- and these days it's not necessarily taking all that much time. If the attacker doesn't have the password file, and has to attempt to crack the password remotely, then the solution is not better passwords but better lockout policies. It hardly matters whether it will take 3 quadrillion attempts or only 10,000 to guess right if after 3 wrong password attempts the account is disabled.
In the long term, we need to move from passwords to a better form of authentication. Per-site certificates stored on smart cards would be excellent. A federated token system (dynamic passwords read off of a handheld device) would be good, too. Unfortunately, both of those methods require everyone to have some piece of hardware they don't presently have, which is a serious adoption problem. It would be great if every bank required you to have a smart card & reader to log into the site -- but none of them want to be first, for fear of driving off cusotmers. Also, they all have the fear of adopting the wrong system and having to pay for another, different system again in the future.
The idea is this: it is much easier for a human to remember a phrase and a word than to remember a strong password (like Nr$u9m4$u6LPbBf76.) However, most systems are designed to take a single "word" of fixed length (usually 7-16 characters.) Unfortunately, given those relatively short password lengths, such systems are easily brute-forced unless the password contains multiple character sets (e.g. upper & lowercase letters, numbers, and symbols.)
This site lets you enter a phrase & word and get a strong password based on it. There are two basic ways you could use this:
1.) Print out the chart, and memorize simple passwords for all the sites you use. When you need to log into one, use the chart to translate your memorized password ("squid") to a strong password ("j8I48+64*7f7".)
2.) Write down simple passwords for all the sites you use. When you need to log into one, go to passwordchart.com and enter the word & your passphrase, then copy and paste the strong password into the site. The disadvantage here is that you're vulnerable to "shoulder surfing" -- anyone looking at the screen sees your password.
However, I think the existence of this site is indicative of a larger problem -- technology has reached a point where the password is no longer a strong method of authentication. It's simply too easy today to just try them all. An 8-character alphanumeric password has a keyspace of only 2.9 trillion keys; that used to be insurmountable, but now can be easily cracked in a matter of days (or hours) on a common home PC (which can handle about 10 million passwords/sec.) Thus, passwords have to include multiple cases of letters, plus symbols -- this can bring the keyspace up to 6.1 quadrillion keys, which defeats cracking on a single home computer. However, even that keyspace is searchable on parallel supercomputers in a reasonably short time -- while it's fine for keeping people out of your web email, it's not so fine for protecting company secrets from a competitor or industrial spy.
Once your password looks like a#7%494f78Kg337h, it's hard to crack, but harder to remember. The other problem is that passwords tend to be re-used by people once they find one they like. Thus, if a username and password works at one site, it probably works at many others -- this is the principle behind AccessDiver (not that that will be obvious from its website, which pretends it's a "security tool" and not a tool for hacking into websites, which it is.)
At this point, though this isn't the security conventional wisdom by any means, I don't think strong passwords are particularly important. Having a password is far better than having no password, but a strong one doesn't go that much further in protecting you. If someone can get a hold of the password file (i.e. they've compromised some site you have an account on), they can extract your password, given enough time -- and these days it's not necessarily taking all that much time. If the attacker doesn't have the password file, and has to attempt to crack the password remotely, then the solution is not better passwords but better lockout policies. It hardly matters whether it will take 3 quadrillion attempts or only 10,000 to guess right if after 3 wrong password attempts the account is disabled.
In the long term, we need to move from passwords to a better form of authentication. Per-site certificates stored on smart cards would be excellent. A federated token system (dynamic passwords read off of a handheld device) would be good, too. Unfortunately, both of those methods require everyone to have some piece of hardware they don't presently have, which is a serious adoption problem. It would be great if every bank required you to have a smart card & reader to log into the site -- but none of them want to be first, for fear of driving off cusotmers. Also, they all have the fear of adopting the wrong system and having to pay for another, different system again in the future.
