Saturday, March 21, 2009

choosing a good password

recently i've seen two separate videos talking about the problem of choosing a good password - one with michael santarchangelo and one with graham cluley... what bothers me, though, is that they're both repeating relatively old ideas with their pass-phrase method...

here's a different approach to the password choosing dilemma:

don't

you heard me, don't... don't choose a password... the primary reason for people choosing passwords is so that they can have a password that they can remember... this is an obsolete requirement - not because people's memories are that much better (they aren't, if anything the opposite is probably true) but because we now use so many things that need passwords that there's no way we can remember different passwords for all of them and have had to adapt... the poor way most people have adapted is to re-use passwords so that there's less to remember, but the smarter way is to store them so that you don't have to remember them at all...

let the computer generate a password for you using a program like password safe, it will be superior to anything you could choose manually... then store the password in password safe because computer memory is also superior to yours... if it's a password you need when the computer isn't on or a password you need in order to get into the computer in the first place, write it down and stick it in your wallet... if it's a password you need at many computers, you can carry the encrypted password database password safe creates around on a USB flash drive (in fact, password safe itself runs quite nicely from a flash drive without needing to be installed everywhere you need your passwords)...

stop following old password advice that hasn't kept up with the times, adapt to the realities of the today and start using technology (even low-tech technology like a pencil and paper) to make dealing with the password problem easier...

2 comments:

Unknown said...

Thank you! This is what I've been doing for a few years now, and it works great. I stick PasswordSafe and its database on a USB stick, and away I go. I'm up to 50 or so login credentials at work. Tack on my personal logins (gmail, etc) and I must be close to 100. This is just insane.

I wish two factor auth was more widespread.

Anonymous said...

This isn't a bad idea at all! It's commonly known that employees should not be left to manage their passwords on their own (that's why we have password policy in the first place). The good thing about using a password safe is that you can choose very complex passwords.

That's not only beneficial against brute force or dictionary attacks, but against social engineering attempts to acquire the password itself. My thinking is that if a person asks for the password to say, some credit card database, the employee on the other end of the line is motivated not to divulge the information simply because it would be a pain in the ass to do so.