14 December 2006


In case you hadn't noticed, we live in a digital world cordoned off by passwords. Nearly everything online requires them, so you are faced with the classic dilemma: use one, hard-to-guess, hard-to-remember one for everything, or use lots of easy-to-remember, easy to guess ones - or maybe just one easy-to-guess.

This fascinating analysis by Bruce Schneier of a clutch of compromised passwords from MySpace is slightly better news than you might have expected:

We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?

But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.

The story has some good links to historical studies of passwords, as well as the usual sharp Brucie thoughts. Alas, these include the following:

None of this changes the reality that passwords have outlived their usefulness as a serious security device. Over the years, password crackers have been getting faster and faster. Current commercial products can test tens -- even hundreds -- of millions of passwords per second. At the same time, there's a maximum complexity to the passwords average people are willing to memorize (.pdf). Those lines crossed years ago, and typical real-world passwords are now software-guessable.

"Hundreds of millions of passwords per second"??? Gulp.

No comments: