Well, first a password with two numbers on the end isn't secure (it's just too easy for cracking software to try 0-99 so they all do) so don't bother with that. Also, many common phrases are in cracking dictionaries as well so I'd recommend against them if you want a truly uncrackable password.

We have to realize, then, that the security model where an attacker has a hashed list of passwords is a broken model. If the password is used to create a cryptographic key then certianly it needs to be that strong, otherwise, expecting the user to come up with such a password is too much.

As long as a system doesn't permit unlimited guessing without locking the account and an attacker can't get a list of hashed passwords, then "WillSmith" is a good password -- just as a 4 digit PIN is never going to be uncrackable but it is still "secure". As well, since those sysadmins who could take and crack the passwords could also replace the login sequence (albiet with more difficulty), the security gained is not much more (of course, backup tapes need to be secured).

Unfortunately, given human nature, people will use the same password for everything -- it will be sent unencrypted to every news website that asks for a registration. It will be given out for choclate; on a system where accounts are locked out after three tries, is it more important to counter the threat of a rogue admin cracking the password and using it or to counter the threat of people giving out their passwords for news and choclate?

So what to do? Expensive solutions are just that -- too expensive. Users can remember a simple password so that should be part of it. Users can also input a complex password that they copy from a printed source. So combine the two; have a user enter a simple password and a system-generated "access code" that they are encouraged to write down and keep in their wallet (that they are required by the system to change periodically). The hash stored by the system is not simply a hashed password but the concatenation of the "access code" and the password.

With lockouts after 3 or 5 attempts to login, the scheme should be secure against rogue admins. Furthermore, since normal people can be expected to use it, security will be enhanced. Since the system picks the "access code", the online banking site has some protection against the user who uses the same password for choclate.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/245/26481#26481