Stop Lengthening your Passwords. It’s futile.

25-GPU cluster cracks every standard Windows password in  <6 hours For the time being, readers should assume that the vast majority of their passwords are hashed with fast algorithms. That means passwords should never be less than nine characters, and using 13 or even 20 characters offers even better security. But long passwords aren’t enough. Given the prevalence of cracking lists measured in the hundreds of millions, it’s also crucial that passwords not be names, words, or common phrases. One easy way to make sure a passcode isn’t contained in such lists is to choose a text string that’s randomly generated using Password Safe or another password management program.

via Ars Technica

The operative phrase in that quote is “for the time being.” You can increase the number of characters in your password all you want; some guy is just going to build a 35-GPU cluster and crack it next week. 

As I’ve said before, the concept of username and password needs to die a quick and horrible death.

Just as the TSA has it all wrong, treating everyone as guilty until proven innocent, so too does computer security waste time and money targeting the wrong people. And, similarly, it’s terrible at stopping actual criminals. 

The current crop of security experts keeps reacting to this issue with more and more user-hostile solutions. Make the passwords longer. Make sure they don’t use complete words. Force them to have at least one number, one special character, one capital letter. Change it every three months. Take off your shoes. No more than 3-ounces of liquids…

I’m sorry, but that’s crap. If you walk up to me, I can tell whether it’s you or not immediately, without you doing anything. My phone needs to do the same thing, or at least something similar.

Imagine a world where a computer simply recognizes you, and you go to work. The burden rests on the computer, not on the user. 

I know that’s not easy. So get some money together, assemble a team of the smartest people in the world, and get on it. There’s billions of dollars to be made for anyone who solves this problem. Is that not exactly the sort of thing Silicon Valley startups are supposed to be doing with all that venture capital?

Or are we just going to be finding new ways to share pictures of bacon for the next ten years?