I’ve written here on several occasions about the problems of passwords as a user authentication mechanism, especially as the sole authentication mechanism. When confronted with the necessity of choosing a password, many users make eminently lousy choices. Examination of some actual password lists that have been hacked reveals a large number of passwords like ‘password’, ‘123456’, ‘qwerty123′, and the like. Many thousands of words have been written in attempts to teach users how to choose “good” passwords. Many Web sites and enterprises have password policies that impose requirements on users’ passwords; for example, “must contain a number”, or “must have both lower- and upper-case letters”. It is not clear that these help all that much; if they are too cumbersome, they are likely to be circumvented.
The Official Google Blog has a recent post on the topic of password security, which contains (mostly) some very good advice. The main suggestions are:
- Use a different password for each important service This is a very important point. Many people use the same password for multiple Web sites or services. This is a Real Bad Idea for important accounts: online banking or shopping, sites that have sensitive data, or E-mail. It’s really essential that your E-mail account(s) be secure; the “I forgot my password” recovery for most sites includes sending you a new access token by E-mail. If the Bad Guys can get all your E-mail, you’re hosed.
- Make your password hard to guess Don’t pick obviously dumb things like ‘password’. Avoid ordinary words, family names, common phrases, and anything else that would be easy to guess. The best choice is a long, truly random character string. Giving specific rules or patterns for passwords is not a good idea; paradoxically, these can have the effect of making the search for passwords easier. (I’ll have more to say about this in a follow-up post.)
- Keep your password somewhere safe Often, people are exhorted never to write their passwords down. This is one of those suggestions that can actually be counter-productive. If having to remember a large number of passwords is too difficult, the user is likely to re-use passwords for multiple accounts, or choose simple, easily guessed passwords. It’s better to use good passwords, and write them down, as long as you keep in mind Mark Twain’s advice: “Put all your eggs in one basket, and watch that basket!”† You could, for example, write passwords on a piece of paper you keep in your wallet. Most of us have some practice in keeping pieces of paper in our wallets secure.
- Set a recovery option If you can, provide a recovery option other than the so-called “secret questions” that many sites use. A non-Internet option, like a cell phone number, is good because it’s less likely to be compromised by a computer hack.
All of this is good advice (and Google has been giving it for some time). There is also a short video included in Google’s blog post that gives advice on choosing a good password, but part of that advice is a bit troubling. The video starts off by saying, very sensibly, that one should not choose dictionary words or keyboard sequences (like ‘qwerty’). It goes on to recommend starting with a phrase (in itself, OK), and then modifying it with special characters. The example used starts with the phrase:
and turns it into:
The problem with this is that this sort of substitution (sometimes called ‘133t speak’) is very well known. There are password cracking tools that try substitutions like this automatically. More generally, you don’t want to introduce any kind of predictable pattern into your password choices, even if it’s one that you, personally, have not used before. Hackers can analyze those lists of leaked passwords, too. Avoiding predictability is harder than it sounds; I’ll talk more about that in a follow-up post.
† from Pudd’nhead Wilson, Chapter 15