Schneier on Passwords

I’m a big fan of Bruce Schneier, I think he’s probably the best plain-speak security guy around, one that can see past the bluff and bluster to the underlying issues. He calls the TSA and their ilk on bullshit airport security procedures regularly, for example, and watching him out the latest “unbreakable” cipher as complete guff is a wonder to behold.

In this Wired article he goes into how easy most passwords are to crack, including – much to my surprise – passwords that I would have considered relatively secure, such as a pronounceable root with an appendage. I found the comparative frequencies of prefixes and suffixes particularly interesting. Of course, as Bruce constantly tells us, security is relative, so your passwords should be too.

Here’s the critical paragraph, although I’d recommend reading the entire article for context, and just because it’s as well-written as nearly all of Bruce’s pieces:

So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.

I agree strongly with his recommendation that a password store should be used by anyone needing to deal with large numbers of passwords. Personally I use KeePass, but I’ll be switching back to PasswordSafe shortly because no matter how hard I try, KeePass databases simply can’t be used across platforms.)