I was pointed at an article in the Washington Post on password security. It’s quite long and so I summarise:
- Length is better than complexity (More than 12 bytes)
- Simple transformations are no help (Don’t use 1st letter Caps and last character as 1 or !, mutt5nut5 is considered very easy.)
- Don’t reuse passwords for accounts that you care about! (A corollary is to delete the accounts on services you no longer use.)
- Write the passwords down in a secure place if you have too many, or use a password manager. (They are in favour, I am not so sure.)
- Don’t use personal facts about yourself (Bdays, Place of Birth, Pet’s names)
They have conducted some volume research by cracking and survey which they reference in the article and built a password checker based on these lessons but using it breaches one or maybe two of the rules I set myself in my Linkedin blog article “Password Vaults”. It’s on the internet, and we can’t read the code; that’s not to say it’s not a useful training tool.
Passwords
I re-read the Password Vaults article and on retrospect consider it a bit mealy mouthed. Password managers are good because they increase the use of strong and unique passwords, and may reduce the risk of social engineering attacks i.e. people giving away their passwords. They are bad because the password vault is on the internet or single device dependent, mostly the code is not open source and so firstly, we don’t know what it does, and secondly our password transaction no longer meets Kerckhoffs’ principle because while we need to keep the password secret, we need the password vault vendor to keep their secrets too.