Celebrities desperately trying to protect themselves against nude photo leaks by ‘hardening’ their passwords are probably wasting their time, according to a new report from Microsoft’s research mavericks.

Writing in a paper titled An Administrator’s Guide to Internet Password Research [PDF], Microsoft’s Dinei Florencio and Cormac Herley say it really isn’t worth bothering with trying to harden passwords against brute force attacks – which is exactly how the iCloud celebrity nude hackers got a hold of their victim’s compromising snaps. Their advice comes barely a month after they caused a kerfuffle by recommending people should use easy passwords and reuse them across multiple websites, the complete opposite of what many experts have been saying for years.

The pair say standard guidelines suggesting people use a mix of special characters, letters and numbers are completely pointless. “Honesty” they said “demands a clear acknowledgement that we don’t know how to [resist offline password guessing]: attempts to get users to choose passwords that will resist offline guessing … must largely be judged failures.”

“Failed attempts ensure a large-scale waste of user effort, since exceeding the online while falling short of the offline threshold delivers no security benefit,” they added.

Florencio and Herley tested their theory using a combination of “literature survey and first-principles reasoning to identify what works, what does not work, and what remains unknown.”

Their research found that so-called “strong passwords” are pointless when other security mechanisms, like hashing and encryption are badly implemented, or worse, totally absent.

Instead, they advise system admins follow the lead of companies like Amazon and Facebook and let users choose simple, easy-to-remember passwords while using systems that make these resistant to offline attacks. Their argument is that if password security systems are adequate, attacks can be elminated. They say that brute force attacks can be mitigated using mechanisms such as whitelisting of known user devices, rate-limiting and the banning of extremely common passwords.

Image credit: Nemo via pixabay.com