Welcome to the SecAware blog

I spy with my beady eye ...

17 Nov 2011


Brian Krebs is an excellent journalist and blogger on information security matters.  He often seems to pick up infosec stories that nobody else covers and his advice is generally sound.

In respect of password choices, however, I think Brian's missing a trick. He offers the stock advice on avoiding common words, using miXed case and punctuation ... etc. all fair enough but neglects to mention the coolest tip of all, which is to use long pass phrases. 

Long passwords used to be counterproductive on old Windows systems that broke them all into weak 7-character chunks.  Windows hasn't done this for years.  The only other issue I'm aware of is that some dinosaurs of the mainframe era still restrict password length to about 8 characters.  But hey, it's only the mainframe, so nothing much to protect there, eh?

My favorite passphrases are the complete lines of songs, complete with punctuation, spaces, capiTaliZation and tricks such as duplicating, omitting or substituting certain characters.  Best of all, I only need to remember one long passphrase - the one that opens my password vault - and I practice it often enough that it stick in my mind.  When it's time to change it, I simply pick another line or another song, poem or famous quotation, something memorable.  Occasionally I find myself quietly humming along as I type it in, and yes I'm paranoid enough to worry about anyone overhearing me!

Gary (Gary@isect.com)

1 comment:

  1. I agree that password length is the key against brute force attacks. Note this article http://blogs.computerworlduk.com/unscrewing-security/2011/10/username-google-password-2bon2btitq/index.htm and others about the ads in Britain.
    2bon2btitq is a passphrase as you mention but how long before password attack dictionaries contain the first line of every Top 40 or 100 song with every variation of 'LEET' speak translator output? Entropy is less crucial as long as password length increases. Take D0g but make it <<<>>>. Easy to recall AND long enough to eliminate the chances of even the fastest password brute force tools