<< Media features of the most common devices | Home | SOPA - PIPA - DRM - ACTA, why it is all futile >>

Good passwords and bad passwords

Markus Jakobsson has a nice column on wired.com about passwords, what to do and what not to do. While he makes a nice point in security vs practicality (and the bad password 'evaluation' of most sites), I think he basically gives flawed advices. His advice is to just append words to build a long password, but that means a hacker can easily make a dictionary attack, because this new password is basically a 3 letter word where your alphabet is the dictionary. Entropy changes a bit, but that's it.

My approach is to have a moderately strong password for websites I don't particularly care about. I use that one on pretty much all websites I visit. I also have a super strong password (18 chars, punctuation, letters, digits) for my ssh accounts at home and my keepass2 file. The rest - sites I do consider "important" to be secure - have passwords that are generated by a password generator, in other words, completely random. They are stored in my keepass2 file that sits on my Dropbox. I can access it from my phone and PCs. It is encrypted so nobody can read it (until someone cracks it that is.)

So, to summarize, I have two passwords to remember: My regular one and my super strong one.

Problem solved.