This fascinating analysis by Bruce Schneier of a clutch of compromised passwords from MySpace is slightly better news than you might have expected:
We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?
But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.
The story has some good links to historical studies of passwords, as well as the usual sharp Brucie thoughts. Alas, these include the following:
None of this changes the reality that passwords have outlived their usefulness as a serious security device. Over the years, password crackers have been getting faster and faster. Current commercial products can test tens -- even hundreds -- of millions of passwords per second. At the same time, there's a maximum complexity to the passwords average people are willing to memorize (.pdf). Those lines crossed years ago, and typical real-world passwords are now software-guessable.
"Hundreds of millions of passwords per second"??? Gulp.
No comments:
Post a Comment