![]() ![]() ![]() This is a great way to make a memorable password, but it deserves a closer look. So we’ve established that password security theatre is a thing, so what are the alternatives? XKCD had a stab at it with “ correct horse battery staple“, in which they put forward the idea of picking four memorable words to make a much longer password with greater entropy because of its size. Incorrect Horse Battery Staple The famous “correct horse battery staple” from XKCD. But it’s all OK folks, because they pass the test of having a special character, numbers, and upper-case letters. The developer trying to crack it can try short cuts such as given names, dog’s names, football teams, and birth years with common letter substitutions and numerical sequences, making these memorable passwords secure in appearance but with substantially reduced entropy. A simple string such as jennylist becomes JennyList with capitals added, then JennyList! with a special character, and finally JennyList!1234 when it’s been padded out to fit. And when asked to add letters, numbers, and special characters, they remain just as incapable of doing so in a random manner as they were with strings. Real humans have an unfortunate propensity to behave in predictable ways rather than random ones, so they’ll use words and phrases they know and remember. They aren’t memorable at all, and thus if your passwords are like this you’re probably using some kind of password manager for them. Unfortunately very few humans use random strings as their passwords. For a 10-character password that figure is 5.987369392 × 10¹⁹, you do use passwords that long, don’t you? If you take the 95 printable ASCII characters as the alphabet, an attacker has to try 95 to the power of the string length different strings to catch everything, something that is likely to take a while. These techniques rely on trying every possible combination of characters sequentially, and the longest string with the most entropy is intended to be the one that takes the most time to reach. The ideal password is a long randomly-generated string designed to confound brute force cracking software. Weak And Feeble Human Brains Are No Match For A Computer! How often have you encountered a website that imposes arcane rules on your choice, demanding a a specified length, that it must contain numbers, or even worse, special characters? Does this help much? I’m not convinced, and I’d like to take a little journey through the issue to find out. A ferry might seem to have little relevance to password security, but the idea of security theatre it introduces is definitely of relevance in the field of passwords. In the case of a car ferry it’s especially pointless to use measures on foot passengers designed to protect aircraft, when all the motorists simply drive onto the ferry unobstructed. It’s a particularly egregious demonstration of security theatre, the practice of overdoing largely unnecessary security measures to appear to be doing something. There’s an odd difference between its two legs though, the UK end has airport style security with metal detectors and x-rays, while at the Hoek I simply walk through passport control onto the ferry. One of my favourite ways to leave the UK is the ferry from Harwich to Hoek van Holland. What Does A Car Ferry Have In Common With A Password? If I close my eyes, I can almost imagine I’m on a cruise! Stena Line, CC BY 3.0 But perhaps the debacle serves a very good purpose for all of us, in that it affords a much-needed opportunity for a look at the way we do passwords. We’re told that the vaults are encrypted such that they’re of little use to anyone without futuristic computing power and a lot of time, but the damage is still done and I for one am glad that I wasn’t a subscriber to their service. By now it’s probable that most readers will have heard about LastPass’s “ Security Incident“, in which users’ password vaults were lifted from their servers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |