Everything I said about passwords is wrong…not! The new password paradigm part 1

My last post was a real teaser according to some. I have to admit that was my intention; however, I meant what I said. The conventional way of looking at passwords is completely wrong. And it is wrong for one very big and completely overlooked reason. Follow these next three posts and you’ll see exactly what I mean. What follows is three articles I wrote for my Security Corner blog. They have gained real traction on the ‘net. Feel free to post your comments!

Break out your pet’s name, your children’s names, your spouse’s name or any other easy-to-remember words or phrases that I–and every other security wonk–have been telling you never to use. Apparently, we’ve been giving you some information that isn’t as valid as we thought. In fact, depending on how you look at it, we may have been completely wrong with some of the things we insisted you do or don’t do. Don’t misunderstand, what we told you worked and the information would have resulted in greater security, it was just too darned complex. Because of that, many people just didn’t make the extra effort

There has been a sea change in the password paradigm, thanks to Steve Gibson of GRC.com who uses the needle-in-the-haystack analogy for passwords. It is an approach that results in even greater security while letting you create easily-remembered passwords. Gone are the days where you had to use such cryptic and impossible-to-remember passwords like PrXyc.N(n4k77#L!eVdAfp9. Steve gives an elegant explanation including an excerpt from the June 1st Security Now! podcast on is Password Haystacks page. The site also has what he calls a “Search Space Calculator” that will give you some real insight into what the hackers are up against.

The new password paradigm is to invent your own personal padding policy. “What the heck is that,” you say? It’s extremely simple: 1. Invent a pattern of characters that you will easily remember; 2. Pad your memorable words, phrases, dates, etc. with that pattern. The easiest way is to put the pattern before and after your chosen phrase, but you can do it any way you like as long as it is memorable for you. The beauty of this system is that you can even use any of the Top 500 Worst Passwords of All Time as long as you pad them. You can use any dictionary word, name, date, phrase–whatever you wish–and you’ll be OK.

I’ll expand on this concept in Part 2.

Posted in:
About the Author

Ken Harthun

Ken is our resident security expert with years of experience in the field. He can also carry a tune as an accomplished musician. Ken has written for many publications and presently is a contributor to IT Knowledge Exchange.

There are 2 comments

Comments are closed.