Skip to main content

Mathematics makes strong case that “snoopy2” can be just fine as a password



By now, most readers know the advice cold. Use long, randomly generated passwords to lock down your digital assets. Never use the same password across two or more accounts. In abstract terms, the dictates are some of the best ways to protect against breaches suffered by one site—say, the one that hit Gawker in 2010 that exposed poorly cryptographically scrambled passwords for 1.3 million users—that spread like wildfire. Once hackers cracked weak passwords found in the Gawker database, they were able to compromise accounts across a variety of other websites when victims used the same passcode.

A team of researchers says the widely repeated advice isn't feasible in practice, and they've provided the math they say proves it. The burden stems from the two foundations of password security that (A1) passwords should be random and strong and (A2) passwords shouldn't be reused across multiple accounts. Those principles are sound when protecting a handful of accounts, particularly those such as bank accounts, where the value of the assets being protected is considered extremely high. Where things break down is when the dictates are applied across a large body of passwords that protect multiple accounts, some of which store extremely low-value data, such as the ability to post comments on a single website.

Employing even relatively weak, 40-bit passwords (say, one with eight lower-case characters) across 100 accounts is equivalent to recalling 1,362 randomly chosen digits or 170 random eight-digit PINs, something that's well beyond the capabilities of most people. Reducing the number of bits by choosing more memorable passwords such as "password123" and "123456" helps ease the burden. But even then, users must have under their control 525 bits just to remember which weak password goes with which account. That's more than double what's required to memorize the order of a shuffled deck of cards. Yes, people can use password managers, but those available in the cloud may be susceptible to online attacks, and those that aren't Web-based lose one of the major advantages of passwords, which is their ability to be entered across any client device.

"So the two staples A1, A2 of password advice appear impossible to meet individually, let alone simultaneously," the researchers wrote in a paper titled Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts. "How do users proceed? They 'cheat' on A1 by choosing passwords far weaker than advised. But this isn't enough—no matter how weak the passwords, a user must still remember lg(N!) [that is, which password corresponds to each of N accounts in their account portfolio] random bits for password assignment. A further coping strategy is needed."

The researchers propose managing passwords based on unique attributes of each account, rather than following a one-size-fits-all approach. Using an elaborate system of mathematical formulas, the researchers propose assigning each account with a value P based on the probability a given account password will be compromised and a value L assessing the loss that would be incurred in such a compromise. Those cases where P and L are sufficiently low aren't deserving of rules that take time and energy away from more productive security endeavors. In other words, for a significant percentage of accounts, "snoopy2" may be perfectly adequate.

"While the optimal strategy involves selective re-use and weaker passwords, benefits accrue only if the effort saved is re-deployed elsewhere for better returns," the researchers wrote. "Users must not arbitrarily weaken and re-use passwords. The empirical studies are needed to determine if our guidelines can be followed by users."

The researchers, from Microsoft and Carleton University in Ottawa, Canada, don't provide any definitive advice. Rather, they suggest people group together accounts with high value and low probability of compromise and those with low value and high compromise probability.

The paper provides mathematical support for a practice some people have long employed—that is, foregoing a strict password regimen across the board. There's little return on the investment of choosing a strong, unique password to lock down a free New York Times account that does nothing more than let website operators track which stories a visitor is reading. The effort saved is much better put into picking a good password to protect online banking and e-commerce accounts.

Popular posts from this blog

Build Your Own Awesome Personal 3D Avatar with Avatara

Do you use social networks and want to build your own awesome 3D avatar? Maybe you want to send someone a cute cuddly image of yourself (kind of)? Or maybe you have your own ideas of what you would do with an Avatar… Well look no further than Avatara which I discovered from the MakeUseOf directory . You can create 3d avatars out of pre-set up templates or create your own from scratch. To start, visit Avatara’s homepage . You will see this screen: Click Get Started to umm, get started! That will take you to this screen: You see that you can build your own Avatar using an uploaded head shot like the Obama one above (just an example, guys). Or roll with one of their awesome avatars. I chose to start with a blank avatar by clicking Start with a blank avatar at the bottom of the screen. That takes you to here: I clicked on the filter at the top and told it to filter out everything but male characters and then I saw this: I rolled with Buck and continued. You need to click Select...
1 comment
Read more

MoviePass drops pricing to under $7 per month, if you opt for the annual plan

MoviePass, the subscription service that lets consumers pay a monthly fee to see unlimited movies in theaters across the U.S., is slashing its prices yet again. The company announced today it’s now offering its service for $6.95 per month, down from the current price of $9.95 per month, when customers commit to a one-year subscription plan. That works out to a flat fee of $89.95 annually. The deal is a limited-time promotion, as opposed to a permanent pricing change, but MoviePass didn’t say how long the offer is valid. However, it is open to both new and existing subscribers – the latter who would receive a 25 percent savings on their current subscription if switching over to the annual plan. This is not the first time that MoviePass has dropped its pricing. When the company introduced its $9.95 per month, one-movie-per-day plan this August, down from $15 for 2 movies per month (or more in select markets like L.A. and NYC, and going as high as $50), it saw so many new sign-up...
2 comments
Read more

ASUS VivoBook X202E Windows 8 Touchscreen Laptop Review And Giveaway

It wasn’t very long ago when prices of touchscreen Windows 8 laptops soared beyond $1000. Thankfully, those days are behind us, and portable computers can easily be purchased – touchscreen and all – for under $500. That’s precisely the demographic in which the ASUS VivoBook X202E falls. When compared to a high-end laptop, its specifications might seem modest, but for laptop buyers just looking for a way to browse the web, watch videos, use basic apps, and not spend too much money, something in this budget is perfectly suitable. The question is, of course, how does the ASUS VivoBook X202E compare to others on the market, and is it the one which you should be spending your hard-earned money on? Well, you’re just going to have to keep reading to find out. Best of all, we are giving away an ASUS VivoBook X202E to one lucky winner. Keep reading for your chance to take home this Windows 8 touchscreen laptop! Introducing the ASUS VivoBook X202E Laptop The ASUS VivoBook X202...
Read more