Monday, June 8, 2009

Secure Passwords

In many organizations, there is a policy requiring strong passwords. Of course this drives password users crazy, because it eliminates 99% of what they were thinking of using.
In the beginning, computers relied on passwords to ensure that users were who they said they were. Sure, anyone can claim to be Bob from Accounting, but only Bob knows Bob's password. That Bob's password was usually something that could be gleaned from reading his file in the human resource department didn't matter to anyone.
Then people realized that making the password your birth date, middle name, or pet's name, allowed people who had minor knowledge of you to impersonate you, which was a security breach. So length requirements were implemented, and requirements for mixed-type (letters AND numbers), and a dictionary of common passwords, none of which you could use. This made passwords less guessable, but more likely to wind up written on a post-it note on Bob's terminal.
Now while the post-it note is bad for security, all security tends to be null and void if you get physical access to Bob's terminal in the first place, so I suppose it can be allowed to slide if Bob conceals it carefully.
Sometimes there are breaches in security. Somebody who saw Bob's post-it note gets fired and has a grudge against the company. Somebody malicious figures out that bob's password is his cat's name with the "i" changed to a "1." When this happens Bob's password has to be changed, quick. Since you never know when this will happen, many organizations require passwords to be changed periodically. Old knowledge is now useless knowledge.
Now let's say that YOU'VE just been hired, and you need a new password. The options are driving you crazy, how do you make a strong password?
Let's use acronyms. Take a song lyric or poem that you really like, and take only the first letters. Substitute a few letters with numbers that look vaguely like them, and capitalize some of them. Now you have a rather strong password that you remember easily. As an example:

Yesterday
all my troubles seemed so far away
Now it looks as if they're here to stay
oh I believe in yesterday
-- The Beatles

This turns to: "yamtssfanilaithtsoIbiy." We capitalize randomly: "yamTsSfanilAithtSoIbiy" and then do some numerical substitution: "yamTsSf4ni7A1thtS0Ibiy". If you then insert or substitute a punctuation mark: "yamTsSf4n!7A1thtS0Ibiy" you now have an easily remembered, strong, impossible to guess password. It is meaningless to pretty much anybody except you.
Now if this sounds like way too much work, you could use the strong password generator to make a strong password, including a little mnemonic to help you remember it. But that kind is more likely to wind up on the post-it note, which is not a good idea.

No comments:

Related Posts Plugin for WordPress, Blogger...