Authentication and the password problem

  • Hello everyone,

    This being the first time I've had the opportunity to post to a forum exclusively dedicated to cyber security I'd like to hear everyone's thoughts on what I generally refer to as "the password problem". Simply put, the password problem is the gap between the length of a password a person can commit to memory, and the current minimum length of password that is considered strong.

    A minimum of 8 to 10 characters seems to have been the de facto standard for at least the past decade if memory serves, but in that time computer processing power has increased significantly in that time so presumably out minimum password length should increase as well. So that means we should all be using longer passwords, right? The one problem I can see with that is we seem to be reaching the upper limit on how long of a password a person can memorize relatively quickly. My current recommendation has been to use a password manger with randomly generated passwords using the highest number of possible character sets and as long as whatever site/service I'm authenticating with will allow(usually between 15 and 20 characters), along with some other form of authentication such as a token, or finger print.

    However, I haven't seen much in the way of articles published on the safety or effectiveness of a password manager. Do any of you use password mangers? If you don't use them is there a specific vulnerability in password managers that has warned you off?

  • Recently there is a schism on password lengths. The guy behind the proposal for long passwords has recanted and apologized for making a mess. However, long passwords are not the same as security.

    Without getting too nerdy, passwords of equally long length can be very different to crack. Night and day type differences. If you are interested in researching it. Try looking up Rainbow Tables. For those with severe tl;dr issues: if your password is English and has a q in it. I already know the next letter is "u". That is too simple but you can get some insight into why not all passwords are the same.

    Password managers tale the user out of the complexity loop. They are software that stores long random passwords. They sometimes include hardware too. They are nice for individual complexity, but if your long password is part of a breach. It does not matter. Also, if you do not ensure you are using a different password each time you use a different site/system, then you are missing the point. Finally, placing all your passwords into one place means that bad guys go after that. Lots of articles on this but when they break into that, they get everything.

    People who go to exceptional lengths are more interesting to bad guys. They believe that the extra security on your side means extra reward on their side. This ain't France, so try harder.

    Our general answer to this is our homegrown Identity Bank. Like the name suggests it is a bank of identities. It is similarly more secure than normal systems. It has a raft of security capabilities that are not matched out there. We have concentrated our protective efforts into a castle with a moat (there are no airplanes or balloons yet... autism). Thus we have a better defense than the aggressors.

Log in to reply