By Nerino Petro at 13 July, 2009, 5:35 pm
Hat tip to Slashdot and its post on Strong Passwords Not as Strong as you Think . Slashdot picked it up from Bruce Schneier who writes the Schneier on Security blog and his post here. The paper is an interesting review of the major threats to account security with the authors finding the major threats are those that strong passwords alone can’t defend against.
Some of the paper is rather technical, but the underlying premise is that the major areas of concern are from phishing and keylogging which the strongest passwords in the world can’t defend against. The end result, according to the authors, is that requiring strong passwords doesn’t necessarily add protection beyond a certain length and only makes it more difficult for the end user to remember. The article also points out that a better way to strengthen security is a combination of stronger user identification and passwords. I found Section 2.2 Bulk guessing attack on all accounts to be interesting as an explanation why you want passwords of a certain length to avoid having passwords used by multiple users.
Despite the logical and well reasoned arguments of the authors, I doubt the IT Administrators will allow simpler passwords or decrease the frequency that they want them changed from a purely CYA perspective on security.