A good analogy for a password is a lock on your front door. It is the first line of defense of protecting your valuables. Hardly anyone would argue against a lock on their door and we’ve come to (reluctantly) accept that access to the resources stored on our computers which hold valuable information should be afforded similar protections.

But there is a problem and it has to do with the sheer amount of things we have to guard against unwanted access. From physical computers, thru discussion forums to bank accounts and company confidential information vaults. It’s not uncommon for a single person to have to manage 100+ passwords to go about their daily business. How can we remember all those, often long and complex passwords? The answer: we don’t. Some, of course, we do remember but most will be stored in our computer’s password vault or online wallet, browser’s password manager or written somewhere we can find them when needed.

Several years ago, while working as a consultant I needed to gain access to one of the machines using its original operator’s credentials who was no longer available. For all intents and purposes, the corporate security policy in place at the time made trying to guess the proper password impossible:

– No common words (defined by domain dictionary)

– At least 8 special characters, 3 digits minimum with numbers no longer that 3 digits

– 18 (may have been 24 characters long)

– Changed every 30 days

It would be quite literally a string of random characters, and yet I managed to log in less than a minute of trying. Easy, I found it taped to the back of the desk protector. In one form or another, this behavior is still true today. Unlike then however, physical access to the device or the environment in which it is placed, is often no longer necessary.

Sufficient Password Length

Any important password should be, at a minimum, in the range of 12 to 16 characters. This addresses two issues: accidental guesses by other people and the amount of effort brute-force algorithms have to go through in order to crack your password. The commonly applied 8-character string of characters (in whatever unreadable combination) is mathematically quite trivial for malicious computer programs to crack and is short enough that most people will just use some kind of keyword, their names, birth-dates or other easily obtained information, or worst of them all: P@$5w0rD or if you’re a Mel Brooks fan, 12345. There goes the “easy to remember” part.

Password Complexity

It stands to reason that we think that – as a password – “butterfly” is quite weak and “Bu7t3rf!y” is quite strong indeed. In truth, they are both very weak. First, it is a common method of obfuscation, one which people often use to get around the limitations of unique online names or in their online chat jargon. We’re quite used to it and can read it very easily. Second, this is a common word, chances are this person likes butterflies or it’s the name of their pet or favorite band. So long as the word itself can be obtained, it’s not that hard to stumble upon the right combination. So password complexity should not be confused with password obfuscation. If we did not kill off the “easy to remember” part, we’ve definitely done so now. But wait, it gets worse!

Changing Your Passwords

In their effort to keep the information safe, companies will often resort to an aggressive password policy, not only requiring certain lengths and complexity but often enough forcing their users to change the passwords every so often. One has to be careful with this concept however, because failing to understand the human behavior is actually making the security fence weaker. Of course there are times when requiring users to change their passwords would be required. Suspected data breach, burglary or even departure of a key IT personnel. But if we force people to change more often than reasonably necessary, they will find a way to cope with this burden. And this will often lead to a house-of-cards security theater rather than proper protection.

Password Recycling and Reuse

With the amount of passwords we have to maintain it is not uncommon to use the same passwords – or slight variations thereof – protecting different resources. It is one way for us to cope with the sheer amount of them. While regrettable, it is understandable.

What you should never do, however, is to share passwords across different types of services/resources. This is important in case the data from one of those services is ever stolen or compromised (and as history shows this is happening more and more often). Having the password from one service and armed with possibly enough personal information, may well open the door for an attacker to gain access to much more sensitive information, like your corporate network or bank account. So that password you have for CatOwnersAnonymous.com should never, ever be the same as one for your corporate laptop. No matter how ridiculously strong it is.

“So there isn’t a easy-to-remember part, is it?”. There is. What isn’t, is easy passwords.

Pass Words vs Passwords

Given two passwords: Ad@m!974 and RogerGreenBasket, which one looks like a stronger one? The first does not seem very sophisticated but it sure as hell is better than Roger and his Green Basket, no? No.

Let’s for a moment consider that I could actually use this exact phrase as my password. Let’s even assume that you know me very, very well. Even more, you know Roger is a long-time friend of mine. But just what of the green basket? “Oh I get it, your favorite color is Green, clever.” Nope, not even close and what’s more, there is no green basket either nor is Roger any shade of green…”This makes no sense”. Not to you it doesn’t and that is the entire point. Even though I can tell you that the phrase RogerGreenBasket comes quite naturally to me now, it is only because there is actually a link between the three words. A link, however, that only I can make while Ad@m!974 is clearly my first name and what is possibly my year of birth. Probably the first thing to try for any aspiring basement hacker and about 2.5s effort for a password cracking software.

Keep in mind that we’re not talking about a secret phrase here. You do not want to use MaryHadALittleLamb, GetToTheChoppa or anything else that is an actual known phrase, no matter how obscure. The trick is in stringing together words (and numbers) that make no sense together and yet thru some associative process stick in your mind.

If my system is ever compromised, “R*_#1G#e3nHSG2!!4” is just as easy or hard for a computer program to crack as “RogerGreenBasket” while still impossible for any human to guess in a bazillion tries. The latter however is much easier for me to remember.

by, Adam J. Sycz, Software Development & Support Specialist, CAL Business Solutions