A recent ZDNet article claimed that GPU computing has rendered even the most secure passwords dangerously crackable. It’s true that passwords developed using the conventional wisdom are subject to more easy brute-forcing, but that doesn’t mean all hope is to be abandoned. The tradeoff is normally between complexity/length and memorability, but in a “Security Now” episode earlier this month, Steve Gibson tossed that tradeoff out the window. His idea: burying your password in a haystack. The general idea is this: if your password is “r4Nd0mBunn1es”, you can make it less crackable by doing something like “/\/\/\/\r4NdomBunn1es/\/\/\/\” or “—r4ndom*****Bunn1es+++” or some other method of padding extra characters.

Even if you use the same pattern every time, so long as the password needle is different, the overall password will be very difficult to crack. So if the password is so difficult, why use a different needle for each site? Because you can’t trust the site to do the right thing. As recent attacks against Sony and other sites have shown, some sites still store passwords in plain text. At least with the password haystack, you can remember shorter passwords and apply the appropriate pattern to fill them out.

I’ve not been as quick to react to this as I perhaps should be. Admittedly, I reuse my throwaway passwords a lot, and so I’m taking advantage of this opportunity to fix this glitch. I’ll probably just create jibberish ones and save them in KeePassX.