The BBC has published an article in which researchers claim that short passwords will become easy to break because of the high numbers of processors on graphics cards. The article suggests that passwords need to be longer as, the theory goes, longer passwords take longer to break.
This article comes after a PC Pro article, published last month, which showcases a new simplified password system from Microsoft, which allows users to pick a simple password, as long as not many other users have chosen the same one or the desired password was not an “…attractive target for a statistical guessing attack”.
So, should passwords be long and complex, or short and easy to remember? We’ve been recommending 12 character passwords made up of combinations of lower and upper case letters, numbers and symbols. But the truth is the password security problem has been around for as long as passwords have existed and at the moment no method is 100 per cent secure. Those people who do come up with complex passwords may chose to write them down, or save them on a memory stick because they simply cannot remember multiple unique complex passwords – thus nullifying the extra measures that they have gone to.
The websites and applications that authenticate customers by asking for the username and passwords should look at improving their methods of authentication.
One standard method they could use which would be a real barrier against brute force attacks would be to ensure that if a customer gets their password wrong five times they are unable to try again for half an hour, and once they do successfully log on, the customer should be notified that someone has tried to access their account, which will allow them to check if their password is secure, and change it to something less easy to guess if necessary.
The result of this method would be that no matter how fast the brute force attack was, it would have to wait half an hour for every five password attempts. With this method, it really wouldn’t matter how powerful the hardware of the attacker was, they would still have to go through the process.
In our guide on authentication, released in September 2009, we discussed two-factor authentication as a possible solution. The system, already being used by some bank customers, takes something the user knows (their password) and combines it with something they have in their possession (a key fob or device which generates a random number) to create a more secure system. But having to carry around a different device for each service you use is somewhat impractical.
On the other hand, using a password by itself leaves the user wide open to abuse from keyloggers and phishing attacks. If your computer is infected, or if you are tricked into telling someone your password, your security is compromised. Add a token into the mix and it greatly reduces the risk of exploitation, as the hacker would have to be close enough to take the token from your possession, making it harder for the hacker to do and easier for the authorities to catch them if the try.
No matter how long or complex you make your password, or how often you change it, the password will not be immune from being compromised. Whether by an infected PC, a conned user or someone absent-minded who keeps all of their passwords written down in their laptop bag, there will always be a way to crack a password. But, until the systems we access implement stringent authentication measures of their own the best thing we can do as users is come up with passwords that are as secure as possible whilst being memorable.