He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.ĭavey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. If you do fall into the 1% then the chances are high that you’ll already be using some kind of security protocol that makes the entire three random words argument moot anyway.ĭavey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. The reality is that for 99% of use cases a threat actor isn’t going to ransack your house searching for a master password, nor your office for that matter. Practise typing the result over and over to get that muscle memory working, and if you are a 1Password user, be sure to save the “emergency kit” that can be printed out and stored somewhere secure. I’d also avoid unchecking the “full words” box as this produces gibberish words that aren’t really easier than a long password to memorise. Other services, of course, are also available, such as Kaspersky's own password generator (opens in new tab).Īs I say, don’t go for anything too short as this is the key that unlocks all your other passwords. Just select the “memorable password” dropdown, set the number of words to something you are comfortable with, and you’re away. Did you see what I did there? Anyway, it has a password generator that anyone can use (opens in new tab) – which has the option of generating a passphrase using random words. Which is where one password manager, in fact 1Password (opens in new tab), comes in. These would, of course, need to be random rather than your idea of random. Instead, go for five or six, or more if your memory will allow. Just three words, no matter how random, would make a spectacularly poor master password if you ask me. Rather than go over old ground involving muscle memory, encrypted USB sticks (opens in new tab) (which need yet another password) or a biometric (opens in new tab) device (JEMpass) and even dice with multiple patterns rolled randomly into a locked box (DiceKeys), let’s approach this from the three random words angle. Of course, the perennial problem of master password creation rears its very ugly head once more. That way you can create truly random and complex and extremely long passwords, or the application can, and have a unique one for every login. Skip the whole three words thing, don’t mention it at all, go straight for the “use a password manager dammit” jugular. What I am suggesting is that, rather than getting people to use three supposedly random words, it would be far better to advise them to use some form of secure password manager instead. This is true, and I’m not suggesting that Password, or or even is a super-duper credential to be using. Their argument generally being along the same lines as the NCSC, that adopting a three random words approach will create stronger passwords than those we often see being used and reused today. Look, I perfectly understand plenty of security professionals disagree with me here. “Phrases like young man which come up often in speech are proportionately more likely to be chosen than rare phrases like young table” the research concluded. Its evidence on multi-word passphrases was pretty damning: “By our metrics, even five-word phrases would be highly insecure against offline attacks,” the researchers found, because people naturally sway towards speech rather than randomness. There’s a really interesting piece of research from the University of Cambridge Computer Laboratory, admittedly now almost a decade old but still relevant, that explains this very well. Humans just don’t do randomness well that’s why there are computer-me-bobs for creating truly random stuff, and more on that later.
0 Comments
Leave a Reply. |