Wednesday, October 13, 2010

Practical Passwords

According to this article on Web password standards, I am one of the "stupid people" who maintain unsafe password practices. Here are some of the findings and my responses:

"4 in 10 respondents shared passwords with at least one person in the past year."
I haven't done this one, but I've encouraged my wife to give me a couple of her passwords to help debug some problems she's having. I don't think she's making a huge mistake here. How many of those 4 in 10 shared passwords with a trusted loved one?
"Nearly as many people use the same password to log into multiple Web sites, which could expose their information on each of the sites if one of them becomes compromised."
I use the same password all the time (I have about five that I generally use, across dozens of sites requiring a password). Sure, it's true that this means if one site is compromised then so might others. But the person getting that password would have to know which sites, and my usernames on those sites. That's not necessarily all that easy.
"Almost half of all users never use special characters (e.g. ! ? & #) in their passwords, a simple technique that makes it more difficult for criminals to guess passwords."
Not necessarily. Most use of special characters is in "133t" spelling: instead of your password being "password", it'll be "p455w0rd" or something like that. I've written dictionary attack software. Adding 133t spelling adds some words to check, but it's not that big a deal. It's true that a password like "5*(AJS*&1" is hard to crack, but then so is "jka82pma8". Furthermore, most sites lock you out after a small number of wrong guesses, so dictionary attacks aren't really very effective.
"30 percent [of young people] logged into a site requiring a password over public WiFi (vs. 21 percent overall)."
Again, this is no big deal... if you do it over SSL encryption. True, sending a password on an unencrypted public WiFi channel is risky. Don't do that. But your bank's Web site is SSL-encrypted, so don't worry about that.
"And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer."
No less a security guru than Bruce Schneier has endorsed this practice, and I completely agree. Hackers can't hack your desk, or your wallet. You're far better off having hard passwords written down in a fairly secure location than really bad passwords (e.g. "123456") that you can remember.

There are, of course, good password practices and bad. But I'm not convinced that surveys like this really reveal that people are as stupid as they think (they may be, but not for the reasons put forth in the survey).

Having a different password for every site, as they recommend, is a wonderful idea. It's also totally impractical. They're also correct that having a single password you use for every site is also a bad idea. The happy medium is to have a few passwords. Use one you can easily remember for all the stuff you don't care much about: Facebook, Slashdot, etc. Use a somewhat harder one for online stores (and don't trust any online store that makes it easy to retrieve your credit card number). And use your best one - maybe here it makes sense to go the "one per site" route - for online banking and brokerage accounts.

1 comment:

  1. Oh, god, don't get me started on passwords!

    I generally use the same one for most ordinary e-mail, etc. It's only moderately strong, a word and a number combination that only has significance to me.

    However, then there's the passwords I have for my job. The government has some really smart/stupid rules for passwords. My main one, fortunately, is used by several other government sites automatically. It's a combination of letters numbers and special characters, must have at least 2 upper case, 2 lower case, 2 numbers, and 2 special characters. THEN, it has to be changed every 150 days, and the new password cannot be the same as any of your last 10 passwords (!). Just try to remember what your last 10 passwords were...

    So, every 5 months, I have to change my password, and usually have to try at least twice, since I'm bound to select one of my old variations first. On top of that, they send out an e-mail 30 days before the deadline, so many people probably change it then -- meaning, they wind up changing it every FOUR months, rather than five, three times a year instead of twice.

    However, the good news is that several government sites/applications use that password, and I use it every day, so I can remember even that bizarre number/letter combination. The problem (nightmare) comes when I have to deal with OTHER government sites/applications, that do not automatically use this password.

    Generally, I can't even set that password as my password for those sites, because they have different rules for their passwords -- such as, "must be exactly 14 characters", or, "must be changed every 30 days", or "cannot contain consecutively repeating characters". Since I use many of these sites only once in a while, memorizing the passwords is impossible, and I've had to use the "forgot password" option many times. One site even chose my password for me, e-mailed it to me, and it cannot be changed. I have that e-mail saved so that I can find that password, with a note, "Stupid automatic password that you can't change and can't possibly memorize".

    In my opinion, the government is making a big mistake with these password policies. In seeking to make things more secure, I believe in a way they are making them LESS secure. These ridiculous rules cause you to make unique passwords you cannot possibly remember (this is my opinion, as someone with a VERY good memory), and then people are FORCED to do exactly what the advisors all tell you not to do -- write the password down on a note somewhere.