Password Angst Again, Part 1

June 1, 2013

I’ve written here on several occasions about the problems of passwords as a user authentication mechanism, especially as the sole authentication mechanism.  When confronted with the necessity of choosing a password, many users make eminently lousy choices.  Examination of some actual password lists that have been hacked reveals a large number of passwords like ‘password’, ‘123456’, ‘qwerty123′, and the like.  Many thousands of words have been written in attempts to teach users how to choose “good” passwords.  Many Web sites and enterprises have password policies that impose requirements on users’ passwords; for example, “must contain a number”, or “must have both lower- and upper-case letters”.  It is not clear that these help all that much; if they are too cumbersome, they are likely to be circumvented.

The Official Google Blog has a recent post on the topic of password security, which contains (mostly) some very good advice.  The main suggestions are:

  •  Use a different password for each important service  This is a very important point.  Many people use the same password for multiple Web sites or services.  This is a Real Bad Idea for important accounts: online banking or shopping, sites that have sensitive data, or E-mail. It’s really essential that your E-mail account(s) be secure; the “I forgot my password” recovery for most sites includes sending you a new access token by E-mail.  If the Bad Guys can get all your E-mail, you’re hosed.
  • Make your password hard to guess Don’t pick obviously dumb things like ‘password’.  Avoid ordinary words, family names, common phrases, and anything else that would be easy to guess.  The best choice is a long, truly random character string.  Giving specific rules or patterns for passwords is not a good idea; paradoxically, these can have the effect of making the search for passwords easier.  (I’ll have more to say about this in a follow-up post.)
  • Keep your password somewhere safe Often, people are exhorted never to write their passwords down.  This is one of those suggestions that can actually be counter-productive.  If having to remember a large number of passwords is too difficult, the user is likely to re-use passwords for multiple accounts, or choose simple, easily guessed passwords.  It’s better to use good passwords, and write them down, as long as you keep in mind Mark Twain’s advice: “Put all your eggs in one basket, and watch that basket!”† You could, for example, write passwords on a piece of paper you keep in your wallet.  Most of us have some practice in keeping pieces of paper in our wallets secure.
  • Set a recovery option  If you can, provide a recovery option other than the so-called “secret questions” that many sites use.  A non-Internet option, like a cell phone number, is good because it’s less likely to be compromised by a computer hack.

All of this is good advice (and Google has been giving it for some time). There is also a short video included in Google’s blog post that gives advice on choosing a good password, but part of that advice is a bit troubling. The video starts off by saying, very sensibly, that one should not choose dictionary words or keyboard sequences (like ‘qwerty’).  It goes on to recommend starting with a phrase (in itself, OK), and then modifying it with special characters.  The example used starts with the phrase:


and turns it into:


The problem with this is that this sort of substitution (sometimes called ‘133t speak’) is very well known.  There are password cracking tools that try substitutions like this automatically.  More generally, you don’t want to introduce any kind of predictable pattern into your password choices, even if it’s one that you, personally, have not used before.  Hackers can analyze those lists of leaked passwords, too.  Avoiding predictability is harder than it sounds; I’ll talk more about that in a follow-up post.


† from Pudd’nhead Wilson, Chapter 15

Cyber Security Awareness Month

October 1, 2012

It has become customary, in the last few years, to designate October as National Cyber Security Awareness Month [NCSAM].  The aim of the event is to increase awareness of security issues, and good security practices, not just among technical people but among computer users in general.  Cyber security is a little like fire safety; if your neighbor’s house or property is a serious fire hazard, it affects you, too.   Similarly, if your neighbor’s or colleague’s machine is made part of a botnet, or gets a nasty malware infection, it puts others at risk, also.  The event is sponsored by the National Cyber Security Alliance, a consortium of tech and financial companies, educational institutions, and government agencies, also aims to promote the concept of cyber security as a shared responsibility.

The good folks at the SANS Internet Storm Center [SANS ISC] are planning to present a special diary (=blog) post every day on the theme of “Standards and Security”, to mark the month.  Although these posts will be at least somewhat technical, SANS also has its own awareness site, called Securing the Human.  (I wrote about this site back when it was launched, in late 2010; as I observed at the time, many security problems are characterized by the acronym PEBKAC: Problem Exists Between Keyboard And Chair.)   The site also offers a free security awareness newsletter, called OUCH!.  They will also feature some security webcasts during the month; see the main SANS ISC site for details.

This month, Random Walks will have a button linked to the main NCSAM page, and I will also try to focus on security topics that are of special importance to end users.  If you are a system or network admin, I encourage you to do likewise.

%d bloggers like this: