Let me start with a question - why do banks believe that 4 digit PIN on your credit card is secure when a random guess have a chance of 1 in 10,000 to be correct. Does 3496 sound that much more secure than “password123” ?
Note: I did an experiment on my WP blog back in 2013 with some cool data - Password Attacks - A Small Server Experiment - Magic of Security - at the bottom you can see the most often tested passwords.
Back to PINs v passwords - the reason why PINs are cool is that the bank controls and counts every try of PIN entry. Because your card is in your pocket and you can only test the PIN when you plug it somewhere, bank can block the PIN if you try a wrong one 3 times in a row. Why this doesn’t work with web passwords?
- your account is online so anyone can try to guess your password whenever they want (if they know your username) - blocking the password after 3 tries would only result in all of us being locked-out of our accounts in days (hmm - it would be interesting to find out how long it could take :) )
- companies running websites are pretty bad in implementing any decent control of password use. Hence password protection like PBKDF2, which disproportionately hits users with slow computers. Instead of doing a proper job on the web server side, prevent suspicious behaviour, locking out botnets, implement counters (per user and global) to detect potential problems and attacks.
If you make your password really hard to remember, it’s probably more secure because of how web services treat it. When there’s a big password incident it’s always due to insecurity of servers, not users.
My advice would be:
- if you create an account on a website that you don’t really trust, or where you leave personal data you don’t see that sensitive, use a password that is different from websites that you really care about, e.g., your online banking.
- the most important and most secure password should be used to login to your email - that is THE MOST important password of all as almost any other account can be unlocked using your email.