Articles like Ars Technica’s Why passwords have never been weaker — and crackers have never been stronger are getting more and more common these days.
In a positive development, I don’t think the story had been live more than an hour or two before people started asking me questions. That’s good, because that tells me that people care.
Ultimately, the solution has to go beyond passwords, but universal smartcards and biometrics aren’t going to appear this month or even this year. Two-factor authentication with a phone is a clever solution, but isn’t universally practical either. For now, we have to live with passwords.
The Ars Technica article is very good, but if you want the back-of-napkin version, the problem is that so many passwords have been leaked in the last couple of years that people have been able to identify a pattern. So, even though password policies are now requiring longer and more complex passwords, people generally tend to select those complex passwords in predictable ways, so even though there are potentially billions of 9-character passwords, human beings tend to limit themselves to a few million of them.
So rather than cycling through billions of possible passwords, a password cracker can take every word in the English dictionary, apply predictable patterns to them, and guess a large number of passwords in a very short period of time.
The problem isn’t going to get any better. Human beings don’t change habits easily or often, and even if they did, computers get more powerful a lot faster anyway.
We’re going to have to stop using human-generated passwords. Passwords that are possible for humans to remember are just too easy for a computer to guess.
Computers can generate extremely random, extremely complex passwords very easily. There are numerous password-generating sites out there and a Google search will turn them up. Here’s Steve Gibson’s password site , which automatically generates various 63-character passwords every time you load it. If you need shorter passwords, just truncate one.
Some sites will even let you select the parameters, such as password length and how many characters of each type to use.
The idea is to change all of the passwords you use to something as complex as possible–some sites permit passwords up to 8 characters long, others have high limits like 64 characters–and then store them securely. Lastpass is a popular cross-platform option and might be the best bet if you have multiple devices. If you’re uncomfortable storing your passwords in the cloud–the makers of Lastpass insist this is unfounded, but I can understand wanting to maintain control–you can store the passwords locally using a program like Password Safe. Password Safe isn’t the only program of its type or even necessarily the best, but it runs on more computers and devices than any other solution I know. Officially it runs on Windows, but there are ports to other systems in its related projects section.
Or if you’re using a computer that you don’t own, such as a work computer, store the passwords in an encrypted document. Office 2007 and later allow you to encrypt documents using AES encryption, which is military-grade. Save your passwords in a Word or Excel document, then copy and paste them when you need them. It’s not as elegant as Password Safe, but it’s workable. Just make sure you encrypt the document–you don’t want an unencrypted password list ending up in the wrong hands.
This approach works more often than any other, though it’s difficult on devices like smartphones, with their tiny onscreen keyboards, unless you use Lastpass.