Earlier someone tweeted about this article (sorry I can’t reference, I clicked on the link from twitter a couple of days ago, and can’t find the tweet now):
Passwords that are Strong—and Safe
which points to a Microsoft Research article here:
Popularity is Everything: A new approach to protecting passwords from statistical-guessing attacks
Why does this annoy me? Because in the security-world, everything is still stuck in this closed-box mindset when it comes to passwords. We all know that short passwords and passwords that contain dictionary words, are easy to break. Yet, when posed with “how can we make this better?” question, no one ever thinks outside of the box.
“So what’s the answer then, smarty-pants?” you might ask. Great question, thanks!! The answer, is to allow “sentences” for passwords. Why are passwords still limited to 6-14 characters? To save space in a database? REALLY? In the year 2010, you think that those extra few bytes (which could increase security exponentially) is too much to ask?
Imagine a world, where instead of words, or using first-letter-of-each-word type passwords (like a password of “taslaatt10!” which you remember because it stands for “ted always smells like apples all the time” + last 2 digits of the year, and an exclamation) – what if we used sentences. Imagine having a password of:
“I’d like 12 oranges, please!”
Easy to remember, right? Now, try that “password” on some password testing sites:
It’s off the charts, in terms of being secure and impossible to break. So, I would expect Microsoft Research and others who develop best-practices would think outside of the box on this one, because this (imho) is the best and easiest solution to this problem, and has the highest chance for success. Again, in my humble opinion! 🙂