Strong passwords do not necessarily provide better security so why do we persist creating ones that are hard to guess — and hard to remember — when a computer can crack them in seconds, asks Bill Cheswick, distributing computing and communications researcher for AT&T Labs.
In order to watch video content you need to enable javascript and install Flash player version 8 or above.
"It is simply poor engineering to expect people to create and remember passwords that computers cannot guess and in a reasonable amount of time," Cheswick told ZDNet.com.au.
"My biggest complaint is that we're insisting on very strong passwords, but we're not getting strong security for those passwords."
A job description for Cheswick has included "being famous", which he achieved at AusCERT 2008, for pointing out a few truths and making delegates laugh. He's interested in security that's too hard to ensure, passwords that are too hard to remember, graphs that are too hard to visualise, and VCRs that are too hard to program. He's even had a crack at mapping the Internet, which he did at Bell Labs in 1998.
Cheswick took a moment to chat with ZDNet.com.au to talk about:
Growing doubts about Vista's security
"It's unprecedented, no one's ever tried to clean up this much software. And I thought it looked promising but I'm starting to hear problems that are discouraging, so I'm not sure," said Cheswick.
"One of the rules is you're never supposed to use the same password on lots of different systems. Yeah right, nobody does that."
You don't need strong passwords for internet banking
Why do you need a strong password when computers are able to guess thousands of combinations in microseconds?
Skinny dipping on the Internet and the chewy enterprise
Large organisatons "are crunchy on the outside and chewy inside. Don't count so much on the firewall. I would rather the individual machines were solid enough that you didn't have to worry about it."
"Strong passwords do not ....... — when a computer can crack them in seconds, asks Bill Cheswick". Yeah right Bill!
I'd like to see a computer that can break a password that has 3 words of 4 or more characters in it each. I want to see the computer that can do that. Bill, you obviously don't know what you're talking about. I evaluated how long it'd take to crack my passwords & I believe with current technology it'd be about 20 thousand years with all the computing power currently available.
If you want to check that out consider 12 alphabetic characters of any value, several words, upper & lowercase values, numbers & it all makes sense to me. There are 390877006486250192896 possibilities to guess the right number to access my bank account. That's over three hundred and ninety quintillion apparently. I'm pretty sure my bank stops after 3 attempts so I figure I'm pretty safe for a while.
Without key-stroke software embedded on my computer it'll be a little difficult. Good luck!