Strong passwords: deja vu all over again

I was at the CFET conference in Canterbury last week, then took a weekend off – quite a novelty… That's the city of Canterbury in the UK, by the way, not the region in New Zealand. (By the way, the papers I presented there will be available shortly.)

Coming back to the office after a few days without connectivity and trying to catch up with email and all that, I was initially confused to find an article in the New York Times by Randall Stross on "A Strong Password Isn’t the Strongest Security" which referred to a paper by Cormac Herley (and incidentally made some perfectly fair points about the shortcomings of passwording. Hadn't I seen this article before, and even blogged on it? Well, no. The article I'd seen before was in the Boston Globe and I blogged on it here.

As I've said before, I'm not fond of complex, hard-to-remember passwords that have to be changed at short intervals, forcing users into all sorts of potentially insecure evasion strategies. But the problem with both these articles (and Herley's original paper, which is actually well worth reading for its insight into the ergonomic shortcomings of many password systems) is that they don't really offer proven alternatives. They exist, of course, but static passwords are comparatively cheap to implement, which is why they've managed to survive so long.

Since never changing your password isn't generally a realistic option, and some sites actually prevent you from using good passwords and, even better, passphrases, we've produced a number of articles and papers on the topic to help make it easier to follow good practice, even when your provider seems set on preventing it. Here they are as a list, to make it easier to follow.

David Harley CITP FBCS CISSP
ESET Senior Research fellow

Author David Harley, ESET

  • Jason Chambers

    It’s kind of ironic that the best password you can have on a Windows computer is a blank password. Leaving your password blank makes your account on the computer inaccessible from remote access.

    I, for one, am a believer of wallet passwords. Making passwords so strong that you have to write the password down and store it in your wallet. Where by policy, if you lost your password, you would have to report your lost password to your IT Administrator.

    Reduces the requirements for expiring passwords.

  • Adam Wilder

    I'll admit  that   I  have  to change  my  passwords  on  my accounts  on a  monthly basis  though some  of the  services   I  use  don't  allow  you to use a  large  variety  of  numbers,letters,symbols.Anyways,  I  keep trying to  update  my  password as  well taking all  other  security  actions to  reduce  my  security  threat    potential and all.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.