Marseille edit
You have probably already found yourselves in this kind of situation one day.
You are in front of your computer. You have made a bargain on an on-line sale site. Or you are excited about the idea of joining your close friends in a new social network (réseau social). Every time you have to complete a form to register. You settle easily this task when the fateful moment comes: the definition of your password.
The quadrature of the Net
A headache since you have heard somber stories of IT security via the media: such as a site was hacked, a user was stolen his data, other people saw their account "cracker" ...
That does not laugh.
And that makes all less laugh as you remember with bewilderment to deter people from the facility in past. You remember with nostalgia of your first e-mail account created with the password "azerty ". It is easy to retain and rapid to type. Then came the moment of your first inscription on an e-commerce site with the password "12345 " (or rather &é " because you had not supported with the Caps Lock touch). And so on: your name and first name, your date of birth, your municipality …And then, in front of the accumulation of passwords to be retained, you began reusing them.
Except that the time has changed: the hackings of Sony, the channel TV5 Le Monde or even the democratic Party in the United States (among others) went through it. Do not mention cyber-war acts, IT sabotage or cybercrime with all these hash-tags finishing "leaks" there. All this contributed to create a stressful climate which makes us reflect twice before typing on the keyboard. And even, because you heard about the existence of software allowing to store touches affected (keylogger): hello the anxiety!
Because the world has shown you the war, you were rolled up the sleeves. Being launched in a brainstorming, you tried various combinations of words, figures and characters following the example of a General staff building plans of attack. Being serious, you followed tutorials on the subject. Following a " on-line training open to all " ("Massive Open Online Course" or MOOC), you began using a generator of password. You adopted a " hygiene of IT security " as certain experts say.
Finally, you have found it. Saint Grail. The well-known password "incrackable" is for which you sweated blood. Certainly, it is a little bit long to retain but it is worthy to pay for the security.
Bad news: all these efforts were vain
Passwords which do not pass any more
The confession is considerable. As a result, it comes from Bill Blurr, a former manager in the National Institute Standard and Technology ( NIST). Maybe you do not know his name. Nevertheless, this Sir is responsible for all the famous recommendations which you followed scrupulously with the password. They are compiled in a document of 2003 having served as Saint Bible bound for the administrations, companies and universities.
Today after his retirement, Blurr made deafening revelations in the columns of the Wall Street Newspaper. He declared that his lines of conduct were now obsolete. In fact, they were never effective.
Thus developing "pass" complicated serves nothing. On the contrary, they are even easier to hack. So, Tr0ub4dor&3 could be cracked in three days while "correct horse battery agraphe" would take 550 … years! What's the point of the fact that people in the world spent 1,300 years a day to type passwords (according to a Microsoft Corp researcher) if their safety is not even assured!
The worst is that rules promulgated by Bill Blurr have no foundation: neither data nor studies. Nothing is surprising: they date 2003 when we did not arrange relevant information to seize the phenomenon. Pressed by the Institute, thus Blurr is based on a white paper of the year 80s (sic) designed at a time when Web did not exist!
What is it necessary to make then? In the latest report, NIST recommends to resort to long sentences, easy to memorize without special characters. Also there is no need to renew its password every 90 days. From its part, the National Agency of the Information System Security (ANSSI) proposes two methods:
One consists of "translating" words by letters, figures or other characters;
The other holds the initial letter of each word in a sentence.
Thus of new recommendations to be followed.
When we are waiting for the next ones.
Article written by Thierry Randretsa