How secure can a simple password be?
Well, that depends. What do you want to protect and against whom?
Today, there are two main attacks. The first one is by people who are close. Coworkers and relatives. The coworkers need some information or access to some function while you’re not around or because there wasn’t enough money to buy a software license for everyone. The relatives want to spy on you (for various reasons). If your password is something personal, they will figure it out easily enough.
The other attack is by spammers who want to gain access to your computer (to send more spam or to get access to more computers or to your bank account, your credit card number, etc) or your accounts. Credibility (as in Google ranking) can be worth money, so control over a well-known blog or a reputable website is not something a cracker would shun.
These people run professional attacks against logins, so they try words from dictionaries with a few numbers added (like cat123). They have tables with passwords and how often people use them (hint: don’t use 123456 as password).
For big sites, the question isn’t really how “secure” the passwords are but how often they are used. If every password was different, it would be much more effort for attackers to crack enough accounts to make the attempt worthwhile.
That means passwords could be simple enough to remember. As they should be. Or people will have to write them down somewhere — we’re not computers. Which remember everything perfectly. Unless the last backup didn’t work. Or a virus comes along. Or someone makes a mistake.
- Debate Around Password Security Overlooks Universal Logins (readwriteweb.com)
- Schluss mit den Zeichenketten (heise.de, German)
- Forcing users to use insecure passwords (older post)