GregHowley.com

Recently, I've been thinking a lot recently about Ars Technica's article on passwords. Couple that with having read Knights of the Rainbow Table, the short story commissioned from Cory Doctorow for The Tomorrow Project, and I've gotten a bit worried about password security.

The password I use at work on a daily basis is 18 characters long. My web server's password is significantly longer. Yes, I've got a mnemonic to memorize the thing, and no, you're not likely to find a significant portion of it in any dictionary. But is it good enough?

Most of what's discussed in the article, and what's dealt with in Knight of the Rainbow Table deals with cracking stolen hashes. And so in theory if limits are placed on the number of password attempts, the problem goes away until there's another leak of password data. But we can't rely on data never being leaked.

I've got an issue with sites that limit what characters I can use in a password (I'm talking about you, Twitter. Why can't I use a space?) or require that I have capitals and special characters (is "Password1" really more secure than "thome thtupid pathword"?) Validation like this on password creation works great to prevent your mom from using "fluffykitty" as her password. But it also lets crackers know which combinations can be eliminated. And it's kind of annoying.

Increasingly, sites are letting people sign in with their Google or Facebook credentials. This is fine. Two-factor authentication helps a lot. I've used Google sign-in for a small number of low-security sites and apps, but putting too many eggs in one basket doesn't give me the warm and fuzzies. And I'm hesitant to trust Google too much. I'm certainly not going to trust Facebook.

The list of passwords that have been cracked scares me. The screenshot used shows MD5 hashes for passwords like $0ccerba11, Wtamu@13, and qeadzcwrsfxv1331. So how are you going to get by with that password of Bosco123! that you've used for everything since 2002? Pick a new password. Here are some suggestions.

1. Use a password manager It works great with a smartphone, but if you don't have one, download an app for your iPod or even on your windows machine. Having a password app will allow you to use different passwords for every site or application that requires a password. try here.
2. Basic Guidelines Your password should be ten characters at minimum. Don't end it with numbers. Don't make the first character your only capital. Don't rely on common substitutions like d0nut or 3ggpl4nt.
3. Already memorized? Think about times in your life you've had to memorize meaningless strings of letters and numbers. Those make great passwords! Still remember your old girlfriend's cell phone number? How about instead of using "BeerDrinker1985", you use "555-1212 warning:PSYKO!" Still remember that old employee ID or the random-character admin password from your college's computer lab that you had to type every day? Add on some stuff and make that your password.
4. Totally random It might not be something you can memorize, but if you make iS7^he0;)b+wffY3A$>l your password and store it in a password manager, you can just copy it out and paste it in when you need to use it.

Cory Doctorow posits a day in the not-too-distant future in which passwords are dead. Someday, Moore's Law may make even beefier hash algorithyms like SHA512crypt, bcrypt, scrypt, and PBKDF2 obsolete. Someday, someone may indeed create rainbow tables complete up to 100 or even 1000 characters. For the time being, passwords still work. They just work better if you create good ones.