Passwords - an old problem

When a string is the only thing protecting our data from prying eyes we just hope that is secure and easy to maintain.

Password are still one of the most used security mechanisms. Facebook demands a login combination, your e-mail account also does and it keeps going. The problem with password management is its (lack of) scalability. When we have a huge list of passwords to manage we simply cannot memorize them all. And then we start screwing up: the classic yellow post-it with the passwords we need or using the same password everywhere.

A solution is to use password managers, such as Keepass (offline) or LastPass (online). Even these solutions are not bullet proof. Offline tools can have compatibility issues between multiple devices we use everyday: computers, tablets, smartphones or even smartwatches. This means the lack of support in one of these devices prevents you from accessing your passwords. When using online tools, you can access with any device given it has a web browser. However, we’re giving all our passwords to someone we don’t fully know…

XKCD #936: Password Strength
XKCD #936: Password Strength

If the idea is to memorize passwords, then you can use this tip by XKCD. These kind of passwords (which actually are passphrases) can have more complexity than a small set of random characters. For instance, the passphrase “With my Email I can organize my day. Very good!!!!” has 49 characters. Each one can be a number, a lower case char, a upper case char or common sentence symbols (period, exclamation marks and so on). Worst case scenario, an automated system using bruteforce would need 49^(10+26+26+5) tries. That’s some number power 113, which is a lot. The passphrase is easy to memorize, fully customizable and can be shared easily in any conversation.

Given this, there is still any point to have unfriendly password enforcement policies?