4
Shouts
spam Shout it Mute it

Bad passwords are not fun and good entropy is always important: demystifying security fallacies
published 791 days, 9 hours, 54 minutes ago posted by http://troyhunt.myopenid.com/http://troyhunt.myopenid.com/ 793 days, 1 hour, 11 minutes ago
Tuesday, April 19, 2011 11:01:59 PM GMT Monday, April 18, 2011 7:44:01 AM GMT

A couple of different friends sent me over a link to an article about the usability of passwords this weekend, clearly thinking it would strike a chord. Well, let’s just say I was enthralled before I even finished the second line: "Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice"

The crux of the article is that so long as a password is sufficiently long – the example used is “this is fun” – you’re pretty damn secure (apparently 11 characters is just right). Actually, the term used was "secure forever". Wow, two pretty absolute terms. So let’s take a look at these and apply a bit of objective analysis to see if they hold water.

Does a brute force attack really only run at 100 attempts per second?

Is "this is fun" really 10 times more secure than "J4fS<2"?

Do rainbow tables really work by an attacker copying and pasting a hash into a website?

Are bad password management practices on the server really not your problem?

category: Architecture | clicked: 1 | | source: www.troyhunt.com | show counter code
tags: Security