I don't like to keep people in suspense, so I'll start off with the surprise ending: Your password is not secure. Now that I've gotten your attention, we can talk about why that is (and what you can do to improve upon it).
Let's start with the basics: What makes a good password? You've probably heard variants on this from many different places over the years. "Your password should consist of numbers, letters, and punctuation. It should be at least eight characters long and not contain your name, birthday, pet's name, or Social Security number."
I'm sorry to tell you this, but you have been lied to.
The simple truth is that passwords of that level of complexity are of extremely poor value in the real world. Brute-force attempts to try every possible combination, while inefficient, could crack your password in a few days or weeks of dedicated work on modern computers. Beyond that, despite the recommendations above, people tend to use passwords that are easier for them to remember (such as a common word or name, followed by a few numbers). Passwords of this nature are even easier to figure out, because the base words from which they originate (as well as common manipulations, like substituting a zero for an "o") are often gathered into "dictionaries" of routines for attackers to try.
There are other problems inherent in these password requirements, beyond the basic mathematical limitations. The degree of complexity is easy to measure with arithmetic, but it's very hard to put a number to "How hard is it to remember?" The more complex the password requirements get, the harder it is to remember that password. This is, of course, a qualitative judgment. Some people are perfectly capable of remembering 15-character jumbles of random letters and numbers. Those of us who are mere mortals tend to have difficulty with this.
As computers get faster, our only solution has been to increase the length of our password requirements in order to stave off the increase in computational speed necessary to break them. So eight characters may have been sufficient 10 years ago, but now passwords need to be a dozen or more in length before they are "unbreakable" -- until computers catch up. In the meantime, we've rendered passwords so completely impossible to remember that nearly everyone is forced to store them written down somewhere.
Any security professional will tell you that once a password has been written down, its effectiveness is reduced immensely. All it takes is for one person to get a quick snap of your Post-It note with a cellphone camera, and all of the company's carefully constructed security policy is worthless.
So what do we do? How do we manage to control access to our computers without either using insecure passwords or forcing our users to write them down to remember them? Well, there are several ways. The first would be to use a second form of authentication (such as a smartcard or time-based authentication token). This means that you can theoretically reduce the password-complexity requirements, because your access now relies on more than just having your password. You also need some physical device on your person. This makes an attack much less likely to succeed (since you'll notice that your authentication token is missing).
There is a second approach that more and more companies are starting to become aware of. As I mentioned in passing above, the biggest gain with passwords (mathematically) is with length, not character complexity. So a fair number of companies have started reducing the number of required characters and instead are simply relying on longer passwords. This can result in much easier-to-remember passwords. For example, instead of a random sequence of letters, numbers, and special characters, a company could require that your password only require letters and spaces, with no upper limit on length. Employees could be encouraged then to just pick several English words and remember the order, such as "vagrant pizza mouse garden pick." This is a much simpler phrase to remember than "p1ZZapi3" would have been, and at the same time, it is much more secure, because of its significant length. This second approach has effectively zero cost to a corporate environment while providing a significant gain in security.
— Stephen Gallagher is a Linux Software Engineer working at Red Hat, Inc.
Funny, Lippencotte, but the message I take away is: be serious about passwords for things that really matter. As for the other hundred passwords you need, do your best, but don't lie awake worrying.
All the password business at times is just annoying but we don't live in a perfect world but I remember reading a joke one time about a password written down "hueydewylouieplutosnowwhitemickeyspringfield" and when asked the person said that was your rules, 6 characters and a capital.
As long as we remember no password is unbreakable and the person most annoyed is not the hacker but the poor person trying to work and you have change passwords every three weeks and oh by the way we remember the last 12 so you can't use them either.
Rant/ off..... Have a wonderful Christmas season everyone.
Nimantha, there's a piece of software, installed on every computer, that reads every keystroke the user enters. It's called the keyboard driver.
@Root, I think the best solution to this problem is use screen-based virtual keyboards. Instead of entering data at the physical keyboard, users press keys displayed on their monitors. This bypasses the normal path taken by keyloggers, making it impossible to capture keystrokes.
I have heard how a girl was talking to her system administrator: my password is rejected but I am 85% sure that it is right.Well, any password can be brocken, it is obvious, but at least, we can try to do something better than 12345678 or I love you:)
If there is a software which can detect the passwords and user names, isnt it a threat ?
Nimantha, there's a piece of software, installed on every computer, that reads every keystroke the user enters. It's called the keyboard driver.
There are many avenues a motivated attacker can use to compromise a system, such as installing a keyboard driver that sends keystrokes back to a malicious operator. That's why a competent systems administrator knows what software is installed on his systems, and understands what each program does.
Just wanted to post that I really liked your article on password wisdom. I've been assuming that it was the complexity, but you're right -- length is really what helps. I know it's not a perfect solution by any means, but it's a good solution when better ones aren't immediately available.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
The smartphone market reached a significant milestone, a breakthrough that may cause vendors to celebrate but could strain the capabilities of IT service desks.
In the fall of 2011, around 160,000 students in 190 countries enrolled in a Stanford-sponsored online course about artificial intelligence. About 23,000 completed the course and got certificates, including 248 who got a perfect score. The university offered the same course the old-fashioned way to students sitting in Stanford classrooms. None of the those students got a perfect score.
As Mitch Wagner discussed today, Yahoo is acquiring Tumblr. The big Internet debate at the moment is whether Tumblr will be good or bad for Yahoo. Regardless of their stances on the future of Yahoo itself, many claim that Yahoo will somehow ruin Tumblr.
Has China stolen a march on the West, developing an Internet architecture that is not only based on IPv6, but is also inherently secure from both internal and external attack?
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Ushering in a new era of cognitive computing systems, IBM announced today the IBM Watson Engagement Advisor, a technology breakthrough that allows brands to crunch big data in record time to transform the way they engage clients in key functions such as customer service, marketing, and sales.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
