Reply to post: Re: No words in any language

Stop resetting your passwords, says UK govt's spy network

zerowaitstate

Re: No words in any language

That's not exactly true. For a single character, the guesser has a probability distribution over roughly 100 symbols. There are many more words in the English language, so the probability distribution is over a much larger set. It's certainly smaller that the set of permutations of all characters that make up the word, but it's bigger than a single character, by a lot. The human brain is better at remembering words than single characters, so why not leverage that? It's only a problem if you limit the length of passwords to a small number of characters (which some systems stupidly do) or you use a password quality check that only takes into account simple things like number and type of characters typed.

I think the point they're making here is that there are so many out-of-band ways of circumventing passwords now (due to the difficulty in remembering them), that fewer hackers are going to bother with brute-forcing hashes from a table dump, when they can just request your credit history and marketing report and use those to answer your "security questions".

Also, Bruce Schneier pointed out that if a hacker gains access to an account, they'll use it immediately for bad things, so the 90 day window doesn't help limit the damage, either.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019