CYBEREYE—Commentary

With passwords, simplicity can equal strength

By this time, it comes as no surprise that passwords can provide lousy security. In theory, they are a great way to authenticate a user at an appropriate level of assurance with little overhead on either the user side or the back end. That might have been the case back when passwords were seldom used and remembering one was not difficult. But in an increasingly online environment in which a user can have a dozen or more passwords to keep straight and regularly rotate, it quickly becomes obvious that they do not scale well.

Most users quickly abandon the effort to keep multiple complex passwords unique or secure and instead use the same one or two passwords over and over for different purposes. On the system side, password resets are the bane of help desks. Couple those challenges with the increased computing power available for guessing or cracking passwords and it is obvious why there is so much interest in certificates, tokens, biometrics and other authentication schemes.

It seems a shame to give up on passwords when in theory they are so simple. And simplicity could be the key to keeping them viable.

In a recent blog posting, Mushegh Hakhinian, security architect at IntraLinks Inc., pointed out the paradox that very long passwords, or passphrases, can be easier to remember than shorter but more complex passwords and can provide more security. That is because a passphrase that contains 16 letters that are not case sensitive — and no numerals or special characters — can provide in the neighborhood of 10 million more possible combinations than an eight-character complex password that uses upper and lower case, numerals, and other characters.

A 12-character complex password in theory can provide more security than a simple passphrase, but remembering such a password can be difficult enough that a user weakens its security by having to write it down. There is also a tendency to use passwords for multiple accounts and change them in predictable patterns.

A disclaimer is appropriate here: Hakhinian is not a completely disinterested observer. IntraLinks makes collaboration and workflow tools that use authentication, and the company’s most recent release supports the use of longer passphrases.

But the logic is valid. The greatest strength of a complex password is that it is, at its best, complete gibberish. That is also its greatest weakness. On the other hand, a passphrase can contain enough internal logic to make it easily remembered by the user, but a 26-letter character set can give it adequate complexity.

For example, the phrase “thankgoditsfriday” is much easier to remember than a password containing $ and # among a jumble of numbers and upper- and lower-case letters. (OK, “thankgoditsfriday” might be a little too predictable, but given a minute, you can probably think up something less predictable that is equally secure and memorable to you.)

There is nothing earth-shattering here, and Hakhinian’s observations are not likely to stop work on digital signatures, biometrics, single sign-on and other solutions to the password problem. But it is a reminder that the simplest solution often is best. By lengthening and simplifying passwords into passphrases, we could probably get a lot more life out of many current authentication mechanisms without sacrificing security.

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.