2014-01-05

CUHK's Poor Guide for Password Generation

I usually suggest users who refuse to use long passwords (>10 characters) for their online accounts to look at news on GPU password cracking. [1] Setting a sufficiently long password is just the first step. The variety of characters to be chosen is also crucial to increasing the time taken for a brute force attack on the password. This idea is supported by the CUHK's Guidelines for Setting a Strong Password, which is the main concern in the post.
The problem is NOT large if the user has some common sense on how the Internet works. However, as a guide for common end users of online services, the last section "Useful tools" is a little bit misleading. If you know some engineering students, he/she will tell you that making things work is their main goal. They can come up with fancy ways to hide standard errors from users. According to our naked eyes, the so called "random password generator" seems to be able to generate random passwords. However, you don't actually know the algorithm used. [2] Are they random enough? Are there any ways of predicting the output of the online password generators? The Community Ubuntu Documentation provides us a three-pronged reason for NOT actually using the "secure password generators" listed in the last section of CUHK's guide.
By saying that those tools "may assist you to set a strong password", the guide is far from wrong, but also far from good. For a proper introduction to a decent password policy for common users, go to [2] of the reference list for Ubuntu's guide.
P.S. The CUHK's guide have been writen for a long time. As I've mentioned above, a GPU cracks passwords much faster than before, so the figures need to be either updated or simply replaced with a link to a web page introducing recent technology on brute force password attacks.

References:
[1]: http://www.linuxjournal.com/content/hack-and-password-cracking-gpus-part-i-setup
[2]: https://help.ubuntu.com/community/StrongPasswords

No comments:

Post a Comment