Help Net Security talks with an IT expert about what makes a strong password. They conclude that it should be no shorter than 86 symbols. So the way I see it, we have two choices.



1. Create your 86 character password now. Here's an example:



3sqk3hvo9xa

wk3n4ffsiUfxk

wpx92skgnns

w1qQ2hdMjLg

^9T%dsqwdK2

6aZdgvo95d02

kfoeNsPsWau

Us4J3S




2. Eighty-Six (Eliminate) Passwords Completely



That's the one that gets my vote. Think keyloggers care if they have to cut and paste 4 digits or 86? We need to "get smart"...we need to swipe, encrypt, transmit.



From HNS: What makes a strong password?



In 1948 an American mathematician and engineer Claude Shannon entered information entropy term (measurement of uncertainty) in his work "A Mathematical Theory of Communication". If we take, for example, English text, it takes 8 bit (one byte) to represent one symbol. Eight bit allow encoding 256 different symbols. However, there are only 26 characters in English alphabet and they can be easily represented by five bit (32 possible combinations). Consequently, uncertainty of one symbol of an English text makes not 8, but less than 5 bit.



In addition, some symbols and combinations are considerably more frequently used than others. A letter “E” is encountered hundred times more frequently than “Z”, and “U” always follows “Q”. Such peculiarities allow reducing uncertainty even more. According to mathematicians’ evaluation it makes around 1.5 bit per symbol for texts in English.

This means that if information is protected by encryption with 128-bit encryption key, and a password will be an English phrase (without space characters, punctuation marks, and in one register), a really strong password (an oxymoron) should be no shorter than 128/1.5 = 86 symbols.



Speaking about the Internet in general - we won’t escape from passwords in the nearest future. They are habitual and their usage doesn’t require special equipment.



Editors Note: That may be true when it comes to accessing email, but when it comes to securing financial transactions, we can't afford to be messing around with passwords...anymore.

Especially when our device costs less than most "useless" bank promos.





BTW: Did you know that the "P" in Passwords is silent?

Keep It Smart, Swipe!





"However, in business segment passwords will continue to get substituted by two-factor authentication (e.g. smart card/USB Token + password/PIN code).



Though such means of authentication require financial expenditures, they should be paid
. (they can afford it...vs. the alternative)





They will guarantee a significantly higher security level

than the one provided by using only passwords."
Reblog this post [with Zemanta]

Posted by John B. Frank Monday, November 30, 2009

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers