I was at the CFET conference in Canterbury last week, then took a weekend off – quite a novelty… That's the city of Canterbury in the UK, by the way, not the region in New Zealand. (By the way, the papers I presented there will be available shortly.)
Coming back to the office after a few days without connectivity and trying to catch up with email and all that, I was initially confused to find an article in the New York Times by Randall Stross on "A Strong Password Isn’t the Strongest Security" which referred to a paper by Cormac Herley (and incidentally made some perfectly fair points about the shortcomings of passwording. Hadn't I seen this article before, and even blogged on it? Well, no. The article I'd seen before was in the Boston Globe and I blogged on it here.
As I've said before, I'm not fond of complex, hard-to-remember passwords that have to be changed at short intervals, forcing users into all sorts of potentially insecure evasion strategies. But the problem with both these articles (and Herley's original paper, which is actually well worth reading for its insight into the ergonomic shortcomings of many password systems) is that they don't really offer proven alternatives. They exist, of course, but static passwords are comparatively cheap to implement, which is why they've managed to survive so long.
Since never changing your password isn't generally a realistic option, and some sites actually prevent you from using good passwords and, even better, passphrases, we've produced a number of articles and papers on the topic to help make it easier to follow good practice, even when your provider seems set on preventing it. Here they are as a list, to make it easier to follow.
David Harley CITP FBCS CISSP
ESET Senior Research fellow
Author David Harley, We Live Security