Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat.
Wednesday, July 15, 2009
Do stronger passwords do anything?
Apparently not:
Subscribe to:
Post Comments (Atom)
Bruce Schneier has an excellent blog on computer security and the costs/trade-offs involved.
ReplyDeletehttp://www.schneier.com/blog/
Weak passwords offer little security. Strong passwords (ie, long and complex) are hard to remember, so users often write them on post-its and put them on their computer, defeating the purpose.
Password strength also depends on what you're guarding. You could use a short password on your gaming PC, but you'd want a stronger one on the computer you do your banking on.
BTW, the 20-bit rule only applies to a specific set of use cases and is a very bad general rule. At ACCRE, we try to crack user's password on the theory that it's better for us to do it preemptively and issue a stronger password, then wait for the bad guys to crack it. Our security machine can crack the average 20-bit key in less than one minute.