Secure Passwords Keep You Safer
Ever since I wrote about the 34,000 MySpace passwords I analyzed, people have been asking how to choose secure passwords.
My piece aside, there's been a lot written on this topic over the years -- both serious and humorous -- but most of it seems to be based on anecdotal suggestions rather than actual analytic evidence. What follows is some serious advice.
The attack I'm evaluating against is an offline password-guessing attack. This attack assumes that the attacker either has a copy of your encrypted document, or a server's encrypted password file, and can try passwords as fast as he can. There are instances where this attack doesn't make sense. ATM cards, for example, are secure even though they only have a four-digit PIN, because you can't do offline password guessing. And the police are more likely to get a warrant for your Hotmail account than to bother trying to crack your e-mail password. Your encryption program's key-escrow system is almost certainly more vulnerable than your password, as is any "secret question" you've set up in case you forget your password.
- Add new comment
- 4964 reads
Recent comments
2 years 14 weeks ago
2 years 18 weeks ago
2 years 22 weeks ago
2 years 23 weeks ago
2 years 26 weeks ago
2 years 34 weeks ago
3 years 7 weeks ago
3 years 27 weeks ago
3 years 30 weeks ago
3 years 30 weeks ago