Think you need overcomplicated passwords? Math says it isn't so

Researchers agree with XKCD that having 20 gibberish passwords might be ineffective and self-defeating
Think you need overcomplicated passwords? Math says it isn't so

A paper coming from Microsoft and the University of Ottawa, Canada, is making the case that weaker passwords may actually enhance security. Cybersecurity is likely foremost in all our minds, with the recent MySQL kerfuffle and the attacks on messaging app Line.

The zeitgeist is every password for every account you own should be long (to the order of 10 or more characters), random, comprising of mixtures of upper/lower case or numbers or symbols and you should never reuse your password. XKCD has dispelled some of that false wisdom but the paper presents not only this argument's fallacy but also its impracticality.


One very complicated password is enough, thanks

Think you need overcomplicated passwords? Math says it isn't so

On that premise, the paper argues that using even so-called “weak” passwords across 100 websites is the equivalent of recalling 1,362 randomly chosen digits or 170 random 8-digit pins.

Of course, it is beyond the capabilities of most of us. To help us remember, we could use an online cloud service. Oops, that's vulnerable to hacking just as before and it would compromise your entire canon of online personality at once. Ok, we could use an offline password manager (coughcough pen and paper coughcough). Oops, how tedious to manually sort a 100-long list of random passwords.

One more way users might try to alleviate the situation is to dilute their password “quality” even further. Unfortunately, the math is still insurmountable even at the simplest password strength – the user must recall lg N! random bits for password assignment. In layman's terms, it increases somewhat exponentially.

Therefore, the researchers propose user discrimination. For websites that are low value and likely to be compromised, an extremely on-the-nose “password” could suffice to be able to comment on the New York Times online. You could even repeat it for other news sites. Then, for banking or your university log-in, use all your brainpower on creating a secure, unique but memorable password. Group the low value sites together and high value sites together and then act accordingly.

Funnily, the paper doesn't advise the user to accord to these principles just yet so that their empirical real-world-derived data is not skewed. Too bad, though.

READ MORE: Why you should care about the future of passwords

[Source: ArsTechnica, Pictures by XKCD,]