Over in a fenland blog, there is a little discussion going on about passwords. Evidently, Google has been doing some advertising about what makes a good password, and this has come in for some criticism.
In that blog post, Joseph Bonneau proposes an alternative one-liner:
A really strong password is one that nobody else has ever used.
(One of the commentors (J. Carlio) suggests modifications to add something about memorability. )
This is a seductive idea: it is, broadly, true. It encapsulates the idea that you are trying to defeat brute force attacks, and that these generally succeed by attempting plausible passwords.
But I don’t think it’s good advice. That is mainly because many people are poor with estimates that surround very large numbers: whether the likelihood of my password being used by someone else is one in a thousand, one in a million, one in a trillion (the word of the week, thanks to national debts) is something that, I would say, few people have a good intuition about. In just the same way, people are poor at risk assessment for unlikely events.
It’s also insufficient because someone following this advice will tend to under-estimate the power of brute force search: if you are a player of the National Lottery, you choose some numbers at random, and hope that no one else will choose the same numbers (so that if you win, you do not have to share the prize). But the very act of playing the lottery, still less the heuristics people use for choosing ‘unlikely’ combinations, show many up as being poor with these kinds of estimates. A string consisting of your favourite lottery numbers would of course be quite a poor password (though just how poor depends a great deal on your attacker assumptions).
I’m reminded of a fairly recent letter to a national newspaper, where the correspondent reported that his habitual password was his former National Service Army Number (which was, I think, some 6-8 digits, perhaps with a letter or two). He reasoned that this was unique, unlikely to be available to anyone else, and, at this remove from national service days, unlikely to be recorded in any accessible place. All of these assumptions are doubtful, and all the more so after his letter was published – even though he clearly imagined that he had made a password which precisely matched Bonneau’s prescription.
All of this sounds like a rather familiar lesson from usable security, albeit in a new guise. Back to square one on password advice.