Companies that force employees to create complicated and hard to remember passwords are taking the wrong approach to ensure corporate security, according to a report by an IBM Security Intelligence researcher.
Dr. Anja Lehmann, a cryptographer at IBM, said in a report that a short and simple password can be secure if it is verified properly noting that even the most complicated alpha-numeric password that a human can possible create can be broken in less than a second.
“According to the National Institute of Standards and Technology (NIST), a human-generated password of 16 characters contains only about 30 bits of entropy, which translates to about 1 billion possibilities. With modern password-cracking devices testing more than 300 billion passwords per second, even your 16-character password will be cracked in no time,” Lehmann said.
Making the old-fashioned method of password creation even more obsolete is the fact that most passwords are not decrypted, but simply taken from a company's server, but Lehmann sees a way to prevent this from happening.
Instead of placing the burden of creating a secure password on the end user or on maintaining security on a singles server, Lehmann said companies instead should split the information needed to hack a password over several different servers. This creates a scenario where a criminal must access numerous servers in order to steal a staffer's password. In addition, even this task can be made more complicated by having the servers use different operating systems and be managed by different system administrators.
However, this bit of news is not stopping one energetic entrepreneur from attempting to make a few dollars. Mira Modi, 11, has created a business called dicewarepasswords.com that uses diceware to make pass phrases for her customers, according to boingboing. This method uses actual die, just like one would use to shoot craps or play Monopoly, to generate a 6-digit number. This number is then matched with a word featured on a diceware list and several of these words strung together creates the passphrase.
IBM's Lehmann has not yet responded as to whether or not Modi's methodology is more effective than using several servers to properly protect a password.