Tuesday, March 19, 2013

Password reductio ad absurdum

I was just now logging into a site I hadn't logged into in several months, one for which I wanted to be sure I had a unique password.  Naturally, I'd forgotten the password.  So I clicked on the forgotten password link and chose the email option.  There was also a security questions option.  I should remember to make up some random lies for that, since I'm not going to use it and would prefer no one else did either.

Before too long, an email arrived with a clearly randomly-generated sequence of twelve upper- and lowercase letters.  That's about 68 bits of entropy.  If you could guess a trillion passwords a second [which, scarily enough, is not at all far-fetched], it would still take about 12 years to guess all the possibilities.  I'm not a great fan of passwords in general, except when used locally to unlock something that's actually secure, but that's a pretty reasonable password generation scheme.

So I log in with my new password.  Before I actually get in to the site, I'm told I need to change my password.

Because it's too weak.

Because it doesn't have a letter and a number.

But I'm free to make up any seven-character or longer sequence that does contain a number and a letter,  which does at least filter out all but two of SplashData's top 25 list of weak passwords (all but trustno1 and password1).  Let's just say it's 92% effective at improving password security and leave it at that.

1 comment:

earl said...

Who does this stuff?