Sunday, April 29, 2007

A Better Password Idea

One of the things we love about SPOGG is that our 3,500 or so members are experts in many topics. When we posted about bad grammar in password security, we received a swift response from Barry L.

Seriously, though, I don't know where this guy's advice is coming from.

There are two basic classes of password/phrase attacks: random and directed. It's true that one shouldn't use short passwords that are dictionary words, because they're too easily found by brute force (exhaustive dictionary search). It's also true that words or phrases that are related to oneself are prone to directed attacks using guesses (if I know you like Frank Zappa, I can try the titles of Zappa songs and albums, and popular lyrics).

But directed attacks against you and me are vanishingly rare, and a perfectly grammatical, perfectly spelled passphrase of, say, 22 characters would be essentially impossible to break. So, for instance, "directed attacks against you and me" would be a very nice 35-character passphrase.

Anyway, the most egregious bit of what you quoted is the second sentence of the first paragraph:
> A 15-character password, even if vast computing power were applied to
> the problem of cracking it, would take many years to accomplish that,
> according to Stamps.
What does "would take many years to accomplish that" go with?

Yes, indeed. That was a nonsensical sentence we should have corrected. We think they mean it would take years to crack a 15-character password. This is why Strunk and White recommend simple, declarative sentences. It's not that those are the only grammatical ones out there, of course. It's just much harder to mess those up.

So, here are some long, grammatical password suggestions:

- i_before_e_except_after_c_or_when_sounding_like_a_as_in_neighbor_and_weigh
- between_you_and_me,_this_is_a_hard_password_to_type

No comments: