'Strong' Passwords May Not Be All They're Cracked Up to Be

"A recent headline in a major news outlet announced, "Please do not change your password" because, as the sub-head teased, "it's a waste of your time." The paper cited in the story is the latest salvo questioning a certain orthodoxy about computer security—that strong, cryptic passwords are the keystone to personal security online. This oft-repeated advice may be at best, outdated, and at worst, counterproductive, potentially exposing users to more risk rather than less.

"When creating accounts, users are often told to choose "strong" passwords—meaning that they are of sufficient length (often longer than 6 characters) and include a combination of characters that do not resemble simple words. The premise, of course, is that these passwords will be difficult for a hacker to guess. We've all seen the crucial scene in a movie where the evil hacker logs onto a victim's computer and, using only their wit, guesses the correct password. But like most events in movies, this hardly ever happens in real life."

Complete Story

Related Stories:

• Setting the record straight on sudo(Apr 06, 2010)
• Are users right in rejecting security advice?(Mar 17, 2010)
• How to: Set Up TrueCrypt Disk Encryption, Part 2(Mar 04, 2010)
• The Perils of Sudo With User Passwords(Feb 26, 2010)
• GoDaddy store your passwords in clear-text and may try to SSH to your VPS without permission(Feb 25, 2010)
• Chuck Norris botnet infects Linux-based routers and DSL modems(Feb 22, 2010)
• Data Recovery in the event of your Death(Jan 29, 2010)
• Is Your Password among the 20 Most Popular (and Hackable)?(Jan 26, 2010)