Friday, May 20, 2005

Password Security and Protection Links

Last summer and fall some folks at Microsoft and elsewhere provoked discussions of what makes a strong password. One fellow emphasized that length is really the key. That was widely discussed, as in this article at WindowsITPro by Mark Joseph Edwards.

Since I last visited this topic Jesper M. Johansson, of Microsoft Security Program Manager has posted a series of articles - The Great Debates: Pass Phrases vs. Passwords (in three parts)
Part 1 of 3,
Notable quotes:

"... understand the difference between password guessing and password cracking."
"... if an account has a relatively complex password, guessing will not succeed anyway."
"Cracking ... is performed after the attacker has obtained the raw hashes."
"Cracking is far faster than guessing."

Part 2 of 3 - discusses the relative strength of each type of password

Part 3 of 3 - Concludes by providing guidance on passwords and policy

Earlier I thought the main take-away was that longer is better in passwords and that length trumps strength, in the sense that increasing character count is more effective than increasing the base of characters allowed. I think that is consistent with the formula for calculating the number of permutations of l chars of a base set with n members.
But he concludes "In the end, until we perform further research, we cannot state conclusively that one is better than the other."

UPDATE (June 2005)

Keith Brown has written a utility he calls Password Minder, which generates and stores passwords for use at different sites. He describes it in two of his Security Briefs columns in MSDN magazine last year:
Part 1 - Mind Those Passwords!
Part 2 - Password Minder Internals


Blogger Allan Wolff said...

Mr Jesperson has been publishing a series of columns at TechNet on Network Security. They can be found at

6:54 AM  
Blogger Allan Wolff said...

In the first of those articles, called The Fundamental Tradeoffs he states "Information technology is working properly only when users can stop thinking about how or why it works." That is a nice observation. And then he discusses the tradeoffs between Security, Usability and Cost.

7:25 AM  
Blogger Allan Wolff said...

Jesper Johansson (mentioned above) is quoted speaking at a conference in Australia as follows:
"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."

That statement has been getting a lot of criticism, but I think some scheme to have different passwords is sensible, if not important. I am looking at software to store and even generate them as mentioned in another post.

George Ou in his column at ZDNet offers a strong critique.

8:30 PM  
Blogger Allan Wolff said...

I came upon some other links that comment on the issues of password security: Patrick Hynds thinks Jesper goes too far. He comments further on the issue elsewhere on his blog. Most recently on 26 July

4:29 PM  

Post a Comment

<< Home