In response to my recent post on How Passwords Are Stolen, Smitty remarked that the bar for brute forcing your credentials is lowering. I agreed and remarked that passwords are well past their sell-by date.
Unfortunately, although some reasonable alternatives exists, the industry has been slow to adopt them. That raises the question of what we should do in the mean time. The sort answer is: don’t be stupid. The longer answer is to use safe password practices. This requires action on the parts of both users and site operators.
The sad thing is that none of this is hard or mysterious. The answers have been known for a long time and yet we still see users specifying passwords of dubious quality and reusing them, while sites continue limiting the size of passwords, specifying complexity requirements, and failing to treat password safety appropriately.
Jon over at zudell.io has a very nice post on the problems with passwords and what the answers to those problems are. Take a look at the post to see the full answer but if I had to boil it down it would be:
- Users: Pick long, random passwords. This is best done with a password manger
- Sites: Lose all your password requirements and practice industry standard password hashing.
Some users will always be stupid, of course but there’s no excuse for the sites. There are libraries in virtually every language to deal with the safe hashing of passwords so there’s no reason for not getting that right.
Whether you’re a user, a site operator, or both, you should take a look at Jon’s post and take his suggestions to heart.