Too bad you're spending so much energy on these strong passwords, because the New York Times says it's all a pointless exercise (unless the point of the exercise is to waste your time).
The problem is twofold:
- Technology like keylogging software can read your password no matter how convoluted -- so the most critical issue is to keep that sort of malicious software off your PC at all costs. To paraphrase Ellen Ripley in Aliens: If just one of those things gets through, it's game over.
- Needlessly complicated rules lead to practices which seriously compromise security, like printing the password and leaving it around the PC.
These sites don't publicly discuss security breaches, but Mr. Herley said it "isn't plausible" that these sites would use such policies if their users weren't adequately protected from attacks by those who do not know the password.A site like Amazon requires only 8 characters, with no additional rules. And it prevents brute force attacks because the site can block access after a small number of failed log-in attempts. The NYT contends that using a strategy like this, a six digit password can withstand 100 years of sustained attacks.
This isn't the first time we've heard from renegade security expert Cormac Herley. Not long ago, we told you that frequent password changes were counterproductive. And personally, I'm still waiting for someone to give me a reasonable scenario for why we should change passwords every 60 or 90 days. You know, routinely changing passwords which clearly already work.
Photo courtesy Flickr user iowa_spirit_walker