Our relationships with systems that instruct us to choose ‘strong’ passwords might best be described as high maintenance (a term coined in 1989 by Ephron). “Your password must contain an uppercase character, but not on either side of the password. You’ll need a digit, but appending a ‘1’ to the end of your password doesn’t count. Your password must include a symbol somewhere between the second and sixth position. The meter on the right should turn from red to green, but don’t ask for an explanation of what must be done to turn it green. Once the meter turns green, you’ll have 70 days until the password you’ve just created expires. When it does, make sure not to choose a password that resembles or is based on your current password.”
These rituals might be worthwhile if we knew they were not just witchcraft, but rather were scientifically-proven to reduce the risk of password-guessing attacks; in fact, recent research suggests that they are mostly ineffective.
In this talk, Schechter will review the threat posed by password-guessing and debunk a number of misconceptions about this threat. He will then introduce three different witchcraft-free rituals for protecting users from the scourge of guessable passwords. The talk will touch on topics in algorithms, information theory, and human behavior.