Well, crud. Not all long passwords are good passwords.
I’ve suspected for a long time that street addresses aren’t good to use–the formula is too simple–but now it seems that even mashing together a sentence into a long password doesn’t work. (That isn’t something I do often, but I’ve done it at least once or twice.)
Two things are happening. One is that computers continue to get faster. The other is that we have more captured password databases than we’ve ever had before, and now it’s practical to plow through those huge collections and find patterns. It doesn’t matter how many quadrillions of possible passwords are out there; as password lengths increase, we continue to only use a few million of the possibilities.
It makes sense, though. Any formula that humans devise to generate a password will translate very neatly into a computer algorithm to guess those passwords even faster than humans can think of them. And grammar is just another formula. Not all of our million words go together, so just add the rules for what words go together, and then a computer can guess our passwords faster. It makes perfect sense; it’s just not something I’d thought of before.
Using bad grammar isn’t going to solve the problem for long, either. Most bad grammar follows predictable patterns too. (See: “needs washed.” Can I buy a verb, Pat?) There are rules to most bad grammar too; it’s just that the rules are wrong.
I remember a couple of years ago talking with a former coworker about Steve Gibson’s concept of “password haystacking.” He was uncomfortable with it but couldn’t quite figure out why. But this is why. Computers can generate patterns and plop a password in the middle. “/\/\/\/\/\/\/\/\3fluffybunnies/\/\/\/\/\/\/\/\” isn’t as secure as it looks–and chances are that’s the kind of password many people are haystacking.
Ultimately, multifactor authentication is going to be the only way to solve this. Given the number of tinfoil-hat loonies who are out there though–or maybe I just happen to be unusually good at finding them–this “license to use a computer” is going to be a really hard sell. But we need it.