Watch CBSN Live

Strong Passwords No Safer than Weak Ones (Says New York Times)

You know the drill: a mix of upper- and lower-case characters, both numbers and letters, and at least one symbol. Change your password every 90 days. And the new password can't have more than four characters in common with the last dozen. It's enough to make your brain hemorrhage.

Too bad you're spending so much energy on these strong passwords, because the New York Times says it's all a pointless exercise (unless the point of the exercise is to waste your time).

The problem is twofold:

  • Technology like keylogging software can read your password no matter how convoluted -- so the most critical issue is to keep that sort of malicious software off your PC at all costs. To paraphrase Ellen Ripley in Aliens: If just one of those things gets through, it's game over.
  • Needlessly complicated rules lead to practices which seriously compromise security, like printing the password and leaving it around the PC.
Interestingly, The NYT points out that sites like banks and e-commerce sites, which have the highest need for security, often have the most relaxed rules, since they balance common snese security with usability. Interviewing Microsoft Researcher Cormac Herley, they had this to say:
These sites don't publicly discuss security breaches, but Mr. Herley said it "isn't plausible" that these sites would use such policies if their users weren't adequately protected from attacks by those who do not know the password.
A site like Amazon requires only 8 characters, with no additional rules. And it prevents brute force attacks because the site can block access after a small number of failed log-in attempts. The NYT contends that using a strategy like this, a six digit password can withstand 100 years of sustained attacks.

This isn't the first time we've heard from renegade security expert Cormac Herley. Not long ago, we told you that frequent password changes were counterproductive. And personally, I'm still waiting for someone to give me a reasonable scenario for why we should change passwords every 60 or 90 days. You know, routinely changing passwords which clearly already work.

Photo courtesy Flickr user iowa_spirit_walker