Dealing with p@$$w0rds

The world of the public company has gone a little nuts over password policies. I am often urged to have complex passwords that are also long. The common mandate is at least one lower case letter, one upper case letter, a number and a special character. Have a minimum length of 8, they tell me. Force users to change passwords every 30 days.

This strikes me like TSA security theater. It sounds good. It looks secure. But it is not and it is a huge burden on people.



There is no such system that a user can't and won't game. You end up with passwords like P@ssword123.

There are three vulnerabilities with respect to passwords:

1. They can be guessed easily by someone.


2. They can be observed by shoulder surfing or captured with a key capture device


3. They can be brute force compromised

Let's look at each one of these:

Passwords Which Can Easily Be Guessed

This is such a non issue. Every system I have ever managed or implemented locks an account on a small number of consecutive incorrect guesses. The common scene in a movie or TV show of someone looking around the target's desk and seeing that they have a boat name "starfish" and this is magically their password is completely implausible.

Passwords Which Can Be Observed

If someone is using a keycatcher on your keyboard connection then they're going to capture your password no matter how complex it is. On the other hand, if you have a "complex" password chances are you won't be able to rapidly touch type it. So ironically, complex passwords are more susceptible to shoulder surfing, as you single finger it.

Passwords Which Can Be Brute Force Decrypted

So this final one is what the "best practice" is trying to get at. If someone can manage to get your password file off of your system (which means you are already pretty well compromised; the real problem is coming from external sites such as Facebook or Sony), then they can apply mass computing power to decrypt the password without having the system lock the account.

Any password can be decrypted this way. Any password. The difference is some can be cracked in a matter of minutes where others would take years.

And the key difference between the easy and the hard-to-crack ones? Length. That's it. You don't need a complex password, you need a long one. It's the exponent that's important. If your password is comprised of only the 26 lower case letters but your password is 15 characters long, you have a very strong password. If you put a penny on one of the squares of a chessboard, then two pennies, then eight, 16, 32, 64... by the time you get to the last square you'll have 2 cents to the 64th power minus a penny. That's vastly more money than exists in the global economy.

The common ways to brute force a password now include the common things people try to use to cope with the onerous requirement. So people substitute an '@' for 'a' a 3 for 'e', zeroes for Os, etc. So P@$$W0rd will be cracked by a simple decrypter running on a laptop in a matter of minutes.

So, some recommendations

Regrettably, there are plenty of sites and systems which limit your password length. So like TSA security, insisting that it is "complex" but limiting the password to between 6 and 10 characters in length actually results in vulnerable passwords like P@$$word.

But for those that allow it, pick a longish phrase and type it as a single string. If you really want, capitalize the first letters.

Common advice is to NOT use pet's names and to NOT use words in the dictionary. But.. I have a dog named Hector. IHaveADogNamedHector violates both of those rules, yet at 20 characters long it is astonishingly strong. And I can touch type it quickly - no shoulder surfing. It may not even stand out on a keylogger. It would take years for current technology to crack this.

And best of all, I can remember it. There is no need to write it down.

Look at Diceware and you come to realize that even using a published list of a few thousand words can result in strong passwords, so long as the words are randomly selected (hence the dice) and there are enough of them.

ThisTableIsBrown. ILikeFridayNightLights. Looking at a travel brochure now, LifetimeLearningFromMichelangelo. All fine passwords, much stronger than an 8 character "complex" one.

Some other advice:

• If you have to write them down, write them down in some sort of coded format and keep that in your wallet. I have never once lost my wallet. And if I did, I'd have a whole protocol to go through to cancel credit cards, etc. So if my bank password is IHaveADogNamedHector is written down as B:dog, that'll be good enough for me but worthless to others.
• With all of the crazy requirements for passwords, there is a temptation to use the same master password across multiple systems. Resist that temptation. If your Facebook password gets compromised, you don't want that to also be your online banking password!
• You can always go with a password manager like Lastpass. For some reason, I just can't get past trust issue with these. I know that RSA (and Sony and Dropbox and Yahoo and many others) was compromised not so long ago, so I'm not sure that my paranoia isn't justified. Still, many people find this to be the ideal. You have a master password - make sure to make that insanely secure (Lastpass will tell you the percentage secure it thinks it is). Then you can have Lastpass generate passwords and store them. When you go to a secure site (say your bank), and assuming you've authenticated to Lastpass, it logs you in automatically.