Weak, Easy-to-Remember Passwords a Familiar Crutch for Users

Weak, Easy-to-Remember Passwords a Familiar Crutch for Users:

http://threatpost.com/weak-easy-to-remember-passwords-a-familiar-crutch-for-users/

 

Just because a password is "Easy to remember" doesn't mean it has to be "weak."


----
rich

 

This sentence from the topic sums it up nicely:

I've bolded the critical part of that statement. Yesterday's data breaches are today's passphrase wordlists. I've found it is very hard to force users to abide by passphrase policies when given the option to use weaker iterations unless they are security focused. However to play devil's advocate even when strong passphrase policies are in place you still have users who when prompted to change passphrases, say every 30 days, will simply do the <insert old password here><number increments here>. (e.g. strongpassword becomes strongpassword1, strongpassword2, etc)

 

You can force than amount of character changes as well. I still hate those policies though, why change something that wasn't possibly breached? It just encourages easy-to-remember passwords, which tends to be weak without creativity (that only goes so far until ideas run out).

 

It's true that "easy to remember" doesn't have to equal "weak". We've been taught all wrong...

https://xkcd.com/936/


And this stuff about changing passwords is not always so great an idea either...

https://www.schneier.com/blog/archives/2010/11/changing_passwo.html

https://www.schneier.com/blog/archives/2009/08/password_advice.html

 

seriously why do you need to make your password strong? i doubt it is necessary as long as you don't attract the attention of hackers.

 

That's only if they specifically target you, don't forget automated tools that scour the Internet (with a list of default/weak passwords).