'Strong' Passwords May Not Be All They're Cracked Up to Be
Apr 28, 2010, 01:33 (0 Talkback[s])
(Other stories by Aaron Weiss)
"A recent headline in a major news outlet announced, "Please do
not change your password" because, as the sub-head teased, "it's a
waste of your time." The paper cited in the story is the latest
salvo questioning a certain orthodoxy about computer
security—that strong, cryptic passwords are the keystone to
personal security online. This oft-repeated advice may be at best,
outdated, and at worst, counterproductive, potentially exposing
users to more risk rather than less.
"When creating accounts, users are often told to choose "strong"
passwords—meaning that they are of sufficient length (often
longer than 6 characters) and include a combination of characters
that do not resemble simple words. The premise, of course, is that
these passwords will be difficult for a hacker to guess. We've all
seen the crucial scene in a movie where the evil hacker logs onto a
victim's computer and, using only their wit, guesses the correct
password. But like most events in movies, this hardly ever happens
in real life."