Home Statistics and Visualization Numbers Rule Your World Cybersecurity mystery

Cybersecurity mystery

Numbers Rule Your World 2021-12-10

Good-bad-passwords-1

I hope some of my readers are cybersecurity experts, and can answer a fundamental question that has troubled me for a while.

This question concerns the ever more complex requirements for creating passwords. Capital letters, numbers, special symbols, lengths, etc. You all know what I'm talking about.

I believe the typical justification for these rules is that simple passwords are easy to hack. I've seen academic papers that compute how many guesses it would have taken to find the right one, under different classes of passwords.

There is definitely widely circulated "advice" that one should never use a real word in the dictionary as one's password.

I'm troubled by this because I don't think real-world authentication servers allow anyone to keep trying wrong passwords till you get to the right one. I'd think any server would lock the account after say 10 unsuccessful attempts. If that is true, then it doesn't matter that I'm using a real word so long as the chance of guessing it within 10 tries is very small.

***

My framing of the problem is a little different. There is a downside to complicated password rules. It creates a need to write the password down somewhere, or store it somewhere since one can't store so many different passwords in one's head. (Even more so when the system admin requires one to change the password every so often.) So we are trading one risk against a different risk.

***

It also may be the case that random guessing is not the most popular way to hack into user accounts. It seems like it is easier to steal large lists of passwords from the server where they are stored (if the website owner fails to encrypt them). Also, tricking people into giving up their passwords (various type of phishing) requires no guessing.

If these are the primary ways to hack into one's account, then it doesn't matter what the passwords look like.

***

So, readers, what am I missing? What is the rationale for making us rack our brains for really complicated passwords that are impossible to remember?

 

P.S.

(1) A former student raised another good question. Have these rules stopped hackers more or stopped legitimate users from accessing their own accounts?

(2) In your replies, please stick to the question. Resist the tendency to run around the question by saying don't use passwords, etc.

 

[Image is from a web search, hosted at a site called bestsecuritysearch]