Snowden's Password Idea: Strange, but Not Terribly Secure

Edward Snowden recommended last week that people use longer "passphrases" instead of passwords for extra security. One of his suggestions: something unusual and counterintuitive like "MargaretThatcheris110%SEXY." But cryptography expert Joseph Bonneau tells Andy Greenberg, writing for Wired, why Snowden's approach leaves much to be desired. To wit:

• It's the randomness of the password (or phrase), not the length of it, that will throw people. "Just because something's a phrase and it's longer, people get fixated on that," Bonneau says. "The length doesn't mean that much to your adversary."

• Bonneau notes that Snowden's tactic might work if you're dealing with a service provider that shuts hackers down after just a few attempts. But if the bad guys are trying to get into your computer, they could go to town indefinitely (and will be more likely to eventually figure out the password).

• In Bonneau's own study, the code-cracking ace found that even unusual user-chosen combinations follow certain linguistic patterns, and the right algorithm can pick up on those. The same applies to using mnemonic devices.

• What Bonneau says may work: using a "throw the dice" method that more randomly assigns words to passphrases, in order to come up with a password or passphrase that truly makes no sense.

Click for the full piece—or a list of the worst passwords you could possibly use. (More Edward Snowden stories.)