I’ve written here often (most recently just last week) about the problems with the use of passwords as an authentication mechanism, especially as the sole authentication mechanism. There have been thousands of words of well-intentioned advice written on how to choose a good password. One of the recent efforts in this vein is part of an online security guide from Google, Good to Know. Its “Stay Safe Online” section includes a page of password advice, most of which is very good. The page makes some very important points, including:
- Use unique passwords for your important accounts. This includes not only the really obvious ones, like on-line banking, but also your E-mail accounts. The “Forgot My Password” procedure at most sites involves sending you an E-mail. If the Bad Guy can read all your mail, he can reset all your other passwords at his convenience.
- Use long passwords.
- Make sure any password recovery options are up to date. Be especially careful with sites that use “Secret Questions“, which are often not all that secret.
The article also includes some suggestions for choosing good passwords, including a common idea: use the initial letters of a phrase. The example Google uses is “To be, or not to be, that is the question”, which might give the password
2bon2btitq, with some obvious substitutions. At first glance, this seems like a reasonable choice.
However, as Joseph Bonneau writes at Light Blue Touchpaper, the security research blog of the Computer Laboratory at the University of Cambridge, the choice is not as good as you might think. He looks at the large sample of actual passwords from the RockYou password database, leaked back in 2009, and finds that
2bon2btitq was chosen by some users.
In the leaked 2009 RockYou dataset, 4 people out of 32,603,387 picked ‘2bon2btitq’ and 5 picked ‘2bon2b.’ The roughly one-in-a-million probability sounds impressive, but it only puts people using these passwords in the 50th and 48th percentiles of security. In other words, Google’s advised password is more common than what half of users choose.
Now, it is probably true that this password is unlikely to be guessed in an online attack, but it is quite possible that an attacker might pre-compute a file of all 32,603,387 encrypted passwords; if he then got a copy of the encrypted password file, he would own your account.
This reminds us, once again, that in the presence of knowledgeable and persistent attackers, and ubiquitous Internet connectivity, a superficial security analysis is not good enough; and putting all of one’s eggs in the password basket is probably not wise.
(Incidentally, I don’t intend this as a dig at Google. I think they are to be commended for providing users with some sensible security advice, even if one of their examples raises some questions.)