Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Security: Why the Horse Battery Staple Is Not Correct

Posted by samzenpus on from the protect-ya-neck dept.

First time accepted submitter Dadoo writes By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe. He says, "In this post, I'm going to make the following arguments: 1) Choosing a password should be something you do very infrequently. 2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks. 3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password. 4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."

5 of 549 comments (clear)

  1. Re:Oh great by rnturn · · Score: 4, Informative

    ``We're being awfully slow about teaching people to adopt passphrases''

    Maybe because there's so many websites out there that still limit your password/passphrase to a fairly short maximum number of characters. If I wanted to use something like `correcthorsebatterystaple' I'm usually not allowed to. Especially when using commercial sites, you are, all too often, limited you to a short -- and often numeric-only -- password (PIN, actually).

    --
    CUR ALLOC 20195.....5804M
  2. Use a password manager by KozmoStevnNaut · · Score: 3, Informative

    I've used Keepass for a long time, but I recently moved to Lastpass because getting Keepass to sync reliably is a major hassle, plus Lastpass works really well on Android, even for apps. I have a strong master password, which is easy to change regularly because I only have to remember that one password. I also have 2-factor authentication enabled through Google Authenticator. Every other password is randomly generated, I don't even know them.

    --
    Eat the rich.
  3. Re:What's the UTF-8 encoding of THAT? by Guy+Harris · · Score: 3, Informative

    If by "that" you mean "a fecal sample", the Unicode encoding is U+1F4A9.

  4. Re: symbols, caps, numbers by geminidomino · · Score: 3, Informative

    It gets hashed down to 28-64 characters and written into the database?

  5. Re: Oh great by David+Jao · · Score: 5, Informative

    A quantum computer can brute force a password quadratically faster than a classical computer. This speedup is much slower than the exponential speedup that a quantum computer enjoys against RSA. Long passphrases are still very secure against quantum attacks.