The “good password” anti-pattern, and a solution

Earlier someone tweeted about this article (sorry I can’t reference, I clicked on the link from twitter a couple of days ago, and can’t find the tweet now):

Passwords that are Strong—and Safe

which points to a Microsoft Research article here:

Popularity is Everything: A new approach to protecting passwords from statistical-guessing attacks

Why does this annoy me? Because in the security-world, everything is still stuck in this closed-box mindset when it comes to passwords. We all know that short passwords and passwords that contain dictionary words, are easy to break. Yet, when posed with “how can we make this better?” question, no one ever thinks outside of the box.

“So what’s the answer then, smarty-pants?” you might ask. Great question, thanks!! The answer, is to allow “sentences” for passwords. Why are passwords still limited to 6-14 characters? To save space in a database? REALLY? In the year 2010, you think that those extra few bytes (which could increase security exponentially) is too much to ask?

Imagine a world, where instead of words, or using first-letter-of-each-word type passwords (like a password of “taslaatt10!” which you remember because it stands for “ted always smells like apples all the time” + last 2 digits of the year, and an exclamation) – what if we used sentences. Imagine having a password of:

“I’d like 12 oranges, please!”

Easy to remember, right? Now, try that “password” on some password testing sites:

It’s off the charts, in terms of being secure and impossible to break. So, I would expect Microsoft Research and others who develop best-practices would think outside of the box on this one, because this (imho) is the best and easiest solution to this problem, and has the highest chance for success. Again, in my humble opinion! 🙂

Posted in Best-practices, Uncategorized
One comment on “The “good password” anti-pattern, and a solution
  1. […] The “good password” anti-pattern, and a solution […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Enter your email address to follow this blog and receive notifications of new posts by email.

Join 9 other followers

%d bloggers like this: