Snowden's Password Idea: Strange, but Not Terribly Secure
Cryptography expert says 'MargaretThatcheris110%SEXY' just wouldn't cut it
By Jenn Gidman,  Newser Staff
Posted Apr 14, 2015 1:32 PM CDT
Edward Snowden talks with Jane Mayer via satellite at the 15th Annual New Yorker Festival on Oct. 11, 2014, in New York.   (Christopher Lane/AP Images for The New Yorker)

(Newser) – Edward Snowden recommended last week that people use longer "passphrases" instead of passwords for extra security. One of his suggestions: something unusual and counterintuitive like "MargaretThatcheris110%SEXY." But cryptography expert Joseph Bonneau tells Andy Greenberg, writing for Wired, why Snowden's approach leaves much to be desired. To wit:

  • It's the randomness of the password (or phrase), not the length of it, that will throw people. "Just because something's a phrase and it's longer, people get fixated on that," Bonneau says. "The length doesn't mean that much to your adversary."

  • Bonneau notes that Snowden's tactic might work if you're dealing with a service provider that shuts hackers down after just a few attempts. But if the bad guys are trying to get into your computer, they could go to town indefinitely (and will be more likely to eventually figure out the password).
  • In Bonneau's own study, the code-cracking ace found that even unusual user-chosen combinations follow certain linguistic patterns, and the right algorithm can pick up on those. The same applies to using mnemonic devices.
  • What Bonneau says may work: using a "throw the dice" method that more randomly assigns words to passphrases, in order to come up with a password or passphrase that truly makes no sense.
Click for the full piece—or a list of the worst passwords you could possibly use.
 

My Take on This Story
Show results without voting  |  
8%
44%
2%
18%
8%
20%