I seem to be spending an inordinate amount of time these days resetting my password. I used to have a handful of passwords which I rotated between types of sites--one for email, one for financial, etc. But the number of sites that I use has grown, and so has the complexity that many of them demand. This eventually triggered a sort of a vicious cycle--as I got more passwords, it became harder to remember which one I'd used where, and the number of passwords I'd employed greatly exceeded the three-attempt limit after which many systems lock you out. That meant I needed to get my passwords reset, often by sites that do not allow you to recycle, so now I had even more passwords . . .
After investigating password requirements in a variety of settings, Mr. Herley is critical not of users but of system administrators who aren't paying enough attention to the inconvenience of making people comply with arcane rules. "It is not users who need to be better educated on the risks of various attacks, but the security community," he said at a meeting of security professionals, the New Security Paradigms Workshop, at Queen's College in Oxford, England. "Security advice simply offers a bad cost-benefit tradeoff to users."
A short password wouldn't work well if an attacker could try every possible combination in quick succession. But as Mr. Herley and Mr. Florêncio note, commercial sites can block "brute-force attacks" by locking an account after a given number of failed log-in attempts. "If an account is locked for 24 hours after three unsuccessful attempts," they write, "a six-digit PIN can withstand 100 years of sustained attack."