Let’s talk about passwords.

There is a suggestion on how to have a hard-to-crack password that is easy to remember.  Just use three or four words.  ‘Thisisashortsentence’ is much harder to crack than the traditional ei%7sih).  It is easy to remember and type; it is better for humans to remember and type and supports a better approach to IT.  But is it secure?  Technically no but in practice … maybe.

Passwords can be the bane of our lives – they interrupt us on route to a website or resources that we want or need.  Passwords get forgotten or mistyped and need resetting, which involves interpreting those ridiculous capture images and remembering what street we used to live on, or, worse, making a call to IT support for a reset.

This is exacerbated by the fact that we all now have a plethora of passwords, for important things like logging onto a corporate network, using our phone or to do banking online, as well as less important things (although an entire generation may disagree here) like Twitter, FaceBook, Linked In, Tumblr etc.

As IT people we try to encourage users to have “strong” passwords.  Sometimes we have to insist on strong passwords.  Sadly, often the vendors we represent – as well as the site administrators of the popular sites – have made errors in the way that they work with the clients.  Making end users endure ‘complex’ passwords is troublesome at best.  Who can remember ‘ei%7sih)’?

Lately we have been following the argument that there is a much better way than the arcane combinations of upper and lower case characters, symbols and numbers.

This comic from the long admired XKCD set it out nicely. (see above)

There is a fair bit of argument and science behind this.  In summary:

A password is secure when it takes a hacker using the current toolset a long enough time to crack it.  Something that takes more than a year of effort (at, say, 100 attempts a minute) will probably be secure enough for most people.

Aside from the easy ways to get a password – ask the user, look at the post-it note that should not be there or guess it – the way that hackers crack passwords is using brute force, common word or dictionary attacks alone or in combination, working through possibilities until a solution is reached.

Using special characters massively expands the range of options, making it harder to derive the password. This is only relevantif the hacker knows you are not using them. So long as they are allowed as part of the password in the relevant system, plain words are arguably as effective as more complex passwords in this circumstance.

Many of the passwords hacking news stories – refer to Gawker or the Sony Playstation hacks – have had nothing whatever to do with the user chosen password.  Those exploits had to do with the hackers grabbing password lists from servers, where, because they weren’t properly encrypted, the hackers could try the email addresses and passwords on other popular sites.

This last point does place some burden on the user – you need different passwords in different places, in case one server gets hacked.  This is crucial – part of the way that hackers harvest passwords is to use ones that they have already discovered.

I confess that I use the one long password in lots of places… and now that I have said that, I have to change it, but those are all unimportant places; I can live with someone making a comment in my name on a forum.

Here are some references including – read the comments if you are keen – some well-reasoned defenses of long and unwieldy passwords.

http://www.baekdal.com/insights/password-security-usability

http://www.baekdal.com/insights/the-usability-of-passwords-faq

https://www.grc.com/haystack.htm

Let me know what you think.  Would you prefer a specific password policy set-up in Windows for your users?  Is a secure single sign-on important to productivity for you?

Sean Murphy

Leave a Reply Text

Your email address will not be published. Required fields are marked *