This is what their password section looks like – and the response I got when entering Password1!
This password follows all of their listed rules:
Your new password…
- must be at least 9 characters
- must contain a mix of upper and lower case characters
- must contain at least one number (0-9)
- must not be based on your username
- must not contain spaces or tabs
Yet their own password meter rates it as “Poor”. However this password allows the user to proceed to the next page!
Following the example of the XKCD Password Strength comic I decided to test the password “correcthorsebatterystaple”. As XKCD’s Randall states – this password is both easy to remember and hard to crack. But what does some silly web comic know? Let’s see what iiNet’s own password strength meter has to say?
Lo and behold this is a stronger password. Why? Dictionaries are often used in a brute-force password attack. Even if we pick from only a pool of 4000 common words then there are 256 trillion combinations to try. On the other hand there are fewer numbers and symbols people usually insert into a password, and there are common parts of a word that people usually substitute these symbols in place of letters. This is because people are trying to make passwords that are easy to remember.
This is not necessarily a dig at iiNet (I still ended up subscribing) but a general comment on our attitude towards passwords. While we wait for someone to invent a superior alternative (and people are trying) we need to re-think our password security efforts. The 3 criteria of a good password:
- Hard to guess/crack
- Easy to remember
- Easy to type on the device the user is likely to need it on
Perhaps we should make sure that people simple have strong passwords, regardless of how they arrived at that strength.