Exploring the password policy rabbit hole
S ecuring one’s computers and accounts (or one’s organization) is a challenging balancing act between convenience and security.
Implementing too much security (such as using very long passwords) hurts productivity while too little will likely result in getting pwned.
Striking the right balance and avoiding common misconceptions requires a deep understanding of how password security works… which requires time… a rare commodity among humans.
In this story, I will guide you down the password policy rabbit hole shedding light on password entropy, hardware random number generators, key derivation functions, secure elements and why deeply understanding these topics is fundamental when adopting (or drafting) password policy suited to one’s threat model.
When truly random, a 5-word passphrase generated using EFF’s Short Wordlist #1 has more entropy than 8-character password, therefore is more secure.
