Reply to post: Correct horses

It's World (Terrible) Password (Advice) Day!

Cuddles Silver badge

Correct horses

"The pronounceable words approach is better if you want to remember the password and type it in. But it would be undermined if huge numbers of people weren't also using numbers and symbols in their passwords."

That's not actually true. What matters is ultimately the number of possible combinations that need to be guessed. The advantage of words is that there are an awful lot of them, and we're able to remember phrases with lots of them strung together. Even if every person in the world changed to only ever use whole, correctly spelled English words all in lowercase, it's still trivial to create a password much stronger than random symbols can manage. Just think how many songs you know the words to, how many film and book quotes you can remember, and so on. A password consisting of the first line or two of a song is far stronger than one made up of a random assortment of 20 symbols even if the attacker knows it's 10 or 20 real words, and it's orders of magnitude stronger again if they don't know that.

Social engineering is a potential problem, but not really any more so than it already is. If you're stupid enough to use the tag line from the latest Hollywood blockbuster as your password then it's going to be easier to guess, but the sort of person who would do that is probably using password1 to start with so it's not going to make things any worse. Otherwise, even using a quote from your favourite childhood book is essentially impossible to attack for the usual scenario of someone trawling through a big pile of credentials stolen from a big site, since obviously they have no way to know who you are at all, let along the ability to guess what your favourite book might be.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019