Password strength, more characters are better than complexity

In a recent PBS Newshour article discussing the recent Yahoo! password list theft, a reference to a chart showing howshort passwords can still be secure was added to the story. The data and conclusions included in that chart were disturbing to me, to say the least.  While complexity does add to the number of characters one would have to try to brute force attack a password lengthening the password has a much greater effect on improving password security particularly when you force people to use the complexity.

Actually requiring combinations of letters, numbers, and symbols in a short password increases the chances of the password being cracked as you have limited the theoretical set of combinations that could be used to make the password, thus making rainbow tables much more efficient. In the paper*Reduced Keyspace with Password Complexity* the math clearly shows how this actually occurs.

`The Usability of Passwords <>`__ study, by Thomas Baekdal, also includes quite a few assumptions that aren't very realistic. Saying that “...most web applications would not be capable of handling more than 100 sign-in requests per second” is a rather big assumption of unknown systems where these attacks might occur. A quick Google search returns a wide range of answers including one discussing the limiting factor of one system being the iSCSI storage system and the system only being able to handle 200 sign-in requests per second, per server. With cloud computing you could potentially have hundreds or thousands of servers bring brought together to handle whatever the load.

Another assumption is that the passwords are being attacked remotely and are actually removed from the system, like what happened with LinkedIn and Yahoo!. Once an encrypted list of passwords are brought locally the attack could occur quite quickly and the latency of the home system's interface and the network are removed completely. Mr. Baekdal is correct, however, when discussing passwords that are not stored encrypted. Complexity and length will not help you there. What will help you, though, is the use of a unique password for each account you have so that if the password is exposed you haven't put all your accounts at risk.

Oddly enough, it appears that Mr. Baekdal has already been confronted with these issues but still doesn't get it. Again, his assumptions get in the way of what the possibilities truly are. He is correct in saying that people generally can't remember long, complex passwords. But the use of technology helps us. Using a password safe to store your randomly-generated, long passwords for each site you visit makes life a lot easier and more secure. There are several to choose from and many that you may already have on your system like the one that Mozilla includes in its Internet browser Firefox.

I'm quite appalled that the reparable news source Newsline would provide such bad advice to their readers. For the non-technical people that read that article, and that don't understand the bad assumptions provided, the possibility that they will become more confused about how to properly protect themselves when they hear advice that is backed up by mathematics is great. It's time we stop with all the bad advice and come together with a clear and concise message that is backed up by the math. It's not difficult to protect yourself online and while you do have to put some trust in the remote system you can still mitigate many of those risks yourself.