Bill Cheswick: Silly passwords, soft perimeters and Vista
Strong passwords do not necessarily provide better security so why do we persist creating ones that are hard to guess — and hard to remember — when a computer can crack them in seconds, asks Bill Cheswick, distributing computing and communications researcher for AT&T Labs.
"It is simply poor engineering to expect people to create and remember passwords that computers cannot guess and in a reasonable amount of time," Cheswick told ZDNet.com.au.
"My biggest complaint is that we're insisting on very strong passwords, but we're not getting strong security for those passwords."
A job description for Cheswick has included "being famous", which he achieved at AusCERT 2008, for pointing out a few truths and making delegates laugh. He's interested in security that's too hard to ensure, passwords that are too hard to remember, graphs that are too hard to visualise, and VCRs that are too hard to program. He's even had a crack at mapping the Internet, which he did at Bell Labs in 1998.
Cheswick took a moment to chat with ZDNet.com.au to talk about:
-
Growing doubts about Vista's security
"It's unprecedented, no one's ever tried to clean up this much software. And I thought it looked promising but I'm starting to hear problems that are discouraging, so I'm not sure," said Cheswick.
-
"One of the rules is you're never supposed to use the same password on lots of different systems. Yeah right, nobody does that."
-
You don't need strong passwords for internet banking
Why do you need a strong password when computers are able to guess thousands of combinations in microseconds?
-
Skinny dipping on the Internet and the chewy enterprise
Large organisatons "are crunchy on the outside and chewy inside. Don't count so much on the firewall. I would rather the individual machines were solid enough that you didn't have to worry about it."