Editorials

Passwords are Dead

by Ben Taylor

I came to this topic from Eilenblogger’s comment on one way hashing. He reminds me that most systems using passwords have a number of requirements to make them more difficult to crack. You’ll see a lot of rules:

  • The password must be so many characters long
  • The password must have an upper case letter
  • The password must have a lower case letter
  • The password must include a special character
  • The password must not include any text from the login

Other guidance provides even further difficulty when the person who creates the password is known:

  • Don’t use your birthday
  • Don’t use anything related to your name or the name of family members or pets
  • Don’t use things that personally identify you
  • Don’t replace alpha characters with numbers that look similar
    Examples are:
    Replace E with 3
    Replace O with @ or a with @
    Replace I with 1 or !

All of these rules and guidance used to matter a lot when it took a super computer a day to decrypt one word. Today, using a modern GPU, hackers have found ways to decrypt the most difficult password in a matter of seconds or less. For this reason encryption should be used, but not counted on for ultimate privacy.

The thing that I find the most interesting is that the most secure password mechanism, other than biometrics, is not to use a password. Security analysts have found that a pass phrase is more secure for a number of reasons:

  • Because it is a phrase, it is easier to remember. You are less likely to write it down, which is a typical way for others to discover your password.
  • Because it is easy to remember, it is easier to change more often. You can easily remember and change a pass phrase weekly, or even daily.
  • Because a pass phrase can be fairly long, it makes it more difficult to crack.

That being said, I’m curios why a pass phrase is not more prominent. We keep churning out the same old warn out password rules. Until we can take advantage of biometric input, does it make sense to start using Pass Phrases instead? What would it take for you to adopt using a pass phrase?

Cheers,

Ben

Tags:
Author: Ben TaylorBen is a Relational Database veteran starting in the early eighties on DEC Vax database systems such as Bloom and Harvest. He has specialized in SQL engines for more than two decades, with a primary focus on Microsoft SQL Server. Ben has worked with small and large databases for both OLAP and OLTP working on systems for many industries such as Medical (Medical Claims and Eligibility Warehouse, HMO Provider Management, Enrollment), Financial (credit card processing, mortgage, stock portfolio management), Manufacturing (Assembly Line and Product Assemblies), Sales, Auto Auctions and more.