the great password masquerade

People who work in IT security (including me) often defend old habits that should really no longer be in use. Passwords are one of the places where a few different ‘obsessions’ have remained deeply rooted for years. And the three ‘golden rules’ put forth for passwords are generally:

  1. change passwords regularly
  2. create complex passwords
  3. choose different words for each website (don’t reuse the same word)

But the reality is that users rarely if ever follow these rules: either these rules are no good, or users simply don’t understand them. Right off the bat, I would go with the first answer. This is what this article is about, which I have aptly titled “the great password masquerade.”

So if you’re ready, then let’s get started!

a right hook to rule #1

Forcing users to change their passwords regularly (every 6 months or so) just encourages them to use strategies like “OK I’ll just turn this 8 into a 9.” This is completely pointless. Let’s take an example:

  • before: SuPe5Passw@rd!
  • after: SuPe6Passw@rd!
  • or even: $uPe5Pass@rd!!

This is an easy enough way to pacify any system that makes sure passwords are sufficiently complex (see rule #2). And all is good for users, since they will always be able to remember their “new” passwords. But the problem is that passwords become very predictable this way. Even worse is that substituting a $ for an S or 0 for an o is useless: any decent crack tool already knows that trick.

In fact, the threat is no longer posed by brute-force attacks (exhaustive key searches... more about that here), but rather by phishing and other keylogging attacks. So rule #1 is obsolete and needs an update. At the same time, rule #1 also clearly doesn’t jive with rule #2, which says that passwords should be complex: users will always forget new, complex passwords.

The only real reason to change your password: if you think (or suspect) that it has been compromised. So you really just have to keep an eye out for these kinds of problems. See my thoughts on rule #3 for more on this topic.

bam! rule #2 takes a jab to the face

Sure, complex passwords can be cute with their lowercase and uppercase letters, numbers, and special characters, all (of course) adding up to 6 or 8 characters or even more. Obviously, these are a challenge to enter, especially when using a tablet or smartphone. These devices just weren’t made for these kinds of finger gymnastics.

Of course, you can’t just use words from the dictionary or tricks like qwertyuiop or any other worthless passwords like 1234567890. Since the goal is to avoid things that are too simple, it’s best to use long passwords of 25 characters or more:

  • mypasswordiscaptainhook
  • strawberryisthebesticecreamflavor

Websites that limit passwords to 8 characters are weak. This is a telltale sign that they store passwords with no encryption (yep, because MD5/SHA1 hash codes are the same size no matter the password).

rule #3 is the lone exception

Using the same password for every website is just careless. It’s best to have a different password for each website: that’s what I do (yep, I’m a bit obsessive; just ask my wife). What does this strategy look like? Well, I have something like 136 different passwords in all. And don’t forget your little notebooks and password managers.

For those of you who still have some sense of sanity left, it’s a good idea to pool your passwords: 4 or 5 passwords for 4 or 5 different website groups (one for all news websites that do not use any personal data, another for websites that collect some sensitive data, etc.), and one special password for all sensitive websites.

conclusion

So maybe I’m going a bit against the grain here: it just might happen that a price will be put on my head and hundreds of agents from the CIA, FBI, and the NSA will be waiting for me outside the office. It’s true that I’m challenging the system a little, but isn’t security there to be challenged?

We need to throw out our antiquated rules, because that’s the only way to make progress! So chuck rules #1 and #2 in the garbage, but be sure to keep rule #3 in a safe place!

Jeff

photo credit: copyright Scanrail Fotolia.com

Jean-François Audenard

Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens