Complex passwords: not just complexity"

Complex passwords: not just complexity"

For more than 40 years, the IT industry has been defeated repeatedly in the Battle of passwords. Some time ago, the star iCloud account intrusion event was just one of our many notable failure cases. So why is it so difficult for something as simple as a password?

The problem with password security is that it is so simple, and in fact it is so difficult. In terms of security, the most dangerous thing in the world is 'you think you know ', because then you will not doubt your knowledge. If you ask a typical IT security expert to understand the password, the vast majority will confidently and resolutely answer "yes ". But if so, why is password-related data leaks so common?

We are not discussing the technology of password protection. On the contrary, we are talking about humans. People continue to choose bad passwords. For a typical example, the most common password in 2013 is "123456", the second is "password", and the third is "12345678 ". Yes, well-known, favorite "iloveyou", "letmein", "abc123", and "princess" are on the frequently-used password list every year.

So why do users seldom pay attention to their passwords? This is partly because people (including stars) think that no one will seek for their accounts. This is an old "it won't happen to me" mentality. The reason is that the password information we pass to the user is usually incorrect.

One of the biggest mistakes that the IT security community has ever made is: Pushing users to execute complicated passwords without providing practical guidance. "123456" is an inevitable final result if we make it too difficult for users to remember a password. In rare cases, users do create a complex password, but it is usually too short and used for all their websites (at home or at work) including e-shopping and online banking. This means that data leakage on any site may cause potential destructive consequences.

Expose the truth of complex passwords

The term "complex passwords" may be the most misunderstood term in the IT field, and is also the cause of today's many password problems. "Complex passwords" are often equivalent to "cannot be remembered ". We must realize that complexity is only a small one. It is not just a matter of complexity, but also unpredictable (password entropy is a useful measure of password predictability ). This is the key to a good password.

An unpredictable password may be easy for users to remember. It is better to use uppercase and lowercase letters, numbers, and special characters (Classic complexity Rules), as long as we focus more on those rules. For example, use the string "Iwentfishing4timeslastmonth? ". This password (or a more accurate phrase) is easy to remember and easy to input. It is not predictable. It is also a complex password that contains the recommended uppercase/lowercase/numbers/special characters.

Any short sentence or motto that is easy for the user to remember can be used as a password. When you adopt the motto and add a little more complex rules, you will immediately have a strong password, which will not be found in the hacker dictionary and can only be cracked by brute force. According to the Gibson research company's brute-force password cracking calculator, the above-mentioned "Iwentfishing4timeslastmonth? "In this example, it will take 100 trillion x 76.43 centuries even at a rate of 1030 million guesses per second. That is a strong phrase.

You can select several strings in this way and develop a formula to modify the strings so that they can be applied to different sites. For example, if you set a Facebook password, you can add "FB" and the graduation time of the user so that the password becomes "FB89Iwentfishing4timeslastmonth? "And so on. I would suggest using a more complex formula than this simple example, but the principle is the same. In this way, users can now have a strong, easy-to-remember and easy-to-Enter password, and use different passwords for each site they visit. Is this perfect? Of course it is not. However, it is far better than using a password like "123456" for 30 different sites.

Another trick is to try to create a unique user name. Although many sites require users to use email addresses as their usernames, some financial institutions may allow users to create special usernames. If the user sets his or her email address as the user name of all sites (especially with the same password), the user name information of any site will be leaked, tracking other users' website information will become simple. Using a unique user name for any site involving money would be a good solution, just as using different password phrase strings on these key sites.

As a security community, we must communicate our information and tell users how to create a correct password. We must let users know that "123456" is not a feasible password, and it is not necessary to remember a password that is hard to remember. Successfully passing this message means that we must better understand the unpredictability of passwords. Only then can we hopefully explain this information to our users.