In “A Strong Password Isn’t the Strongest Security” (The New York Times, Digital Domain, September 5, 2010), Randall Stross rightly points out the fallacy of “strong” passwords, which are “changed constantly.” Mr. Stross goes on to describe a method developed by Microsoft researchers Cormac Herley and Stuart Schechter, and Harvard’s Michael Mitzenmacher, whereby any particular password is limited to a “tiny percentage” of users. The researchers claim that such an approach greatly reduces the chances that a bad guy would guess the password.
The first question I have is: “Why did the NYT reporter take so long to publish this article?” After all, Simson Garfinkel wrote “Passwords that are Simple—and Safe,” in MIT’s Technology Review as far back as July 19, 2010 … and seven weeks or so is an eternity in reporting time. Mr. Garfinkel referred to the same Microsoft/Harvard article.
My second question is: “So what does this ‘new method’ accomplish?” The article perpetuates a long-held fallacy that those with evil intent will merely try to guess any given password or, given access to files of encrypted passwords, can use brute force to break the codes in a so-called “dictionary attack.” While this is true in theory, it is not clear that password guessing or brute-force attacks are nearly as big threats as are keylogging, which Stross describes, and phishing or other means of fooling someone into disclosing his or her password (a.k.a. social engineering), which he does not mention. Three points are to be made here: one, the Microsoft/Harvard approach does not do anything to guard against keylogging, phishing and the like; two, if brute-force methods are used, they often can break encrypted passwords in hours (not months); and, three, the only effective application of passwords is, in my opinion, the use of one-time passwords.