Passwords – and what is secure enough?

As I returned to work this morning after ten days off, I took a moment to see if I could remember my password.  As it happens, I was successful and (unlike a few others) logged in first time.  But this got me thinking about passwords – and whether we set them sensibly.

If I can make a fundamental assumption that no everyone can remember long, complex passwords, then there are three basic areas I’d like to consider:

Appropriateness

Like pretty much everyone else, I have a variety of userids and passwords.  For example, I have one set for my bank, another for an online game, yet another for wordpress.  Would anyone disagree that the password which protects my money is more important than the one which guards an online game? Which should be more complex, and which should I protect more diligently?

The security level of the password used for any purpose should be commensurate with the damage which could be caused if it were compromised – more damage to my bank account than to a game which I could recreate, for example.

How, I hear you cry, can I determine the security level? I’m glad you asked …

Complexity or not

How complex does a password need to be? The million dollar question! Here are my thought processes which I consider when setting a password:

    • is there a lockout after a number of attempts? If so, how is it reset? A lockout means that attacking the account is harder, and so can a password be simpler?
    • can I use a mixture of cases, digits, and punctuation? The difference for an eight character password is a factor of almost 25,000! So if I can have a mixed password then maybe I can have a shorter one?
    • how often do I need to type the password – so do I need one I can recall and type easily? That might limit my options.
    • attackers will try known sequences first (dictionary words, 3’s for E’s etc), so I need to try to be a little more inventive.
    • and finally complexity? There are many good articles on this subject, but put simply:
      • in a perfect world where an attacker has to try every password combination there’s no such thing as “almost correct” with a password, it’s either right or it’s wrong.
      • is a memorable, but longer, password (eg fat….^8^….cat) more secure than a shorter random one (Njd7^5vTR{dk1i9)?

Overall security

Ultimately, if you can’t remember your password then you’ll be inclined to write it down, or maybe have the same password for everything (both hugely undesirable as one will weaken security, and the other renders every account vulnerable once one is compromised).

Remember that a hacker will use an automated guessing algorithm, so here are some stats:

  • six alphabetic character password: online it can probably be cracked inside 2 days, and if the attacker has direct access to the system (ie an offline attack), then only a few seconds
  • eight character password with a mixture of upper/lower case, digits, and punctuation: online cracking is probably infeasible at this point; offline might take a few hours.
  • something like fat….^8^….cat: infeasible to brute-force attack with any current technology – it would take too long.  However, that doesn’t mean it can’t be done – I’m just playing with statistics.

So, what’s the answer? That’s the million dollar question, but I have derived a policy which works for me and which is (I think) simple enough for most people:

  • different ids and passwords for everything (this means that if a hacker breaks one account then that won’t give them access to any others)
  • easy to remember – but still complex to break – passwords for accounts where I need to type them regularly (which means I don’t have to write them down … or look them up)
  • a password “wallet” which remembers and replays the userids/passwords on my laptop – protected by a fiersomely complex password (which I only need to type once per session!) (saving my memory, improving security, potentially defeating keyloggers)

I have a feeling that this blog could be more contentious than almost any other as there is no right answer.

And please bear in mind that I’m not offering a solution, but rather positing some thoughts and questions to make people think from a slightly more informed base.

So, are you paranoid yet? And how will you select your next password?

And finally (for tech geeks) … for what its worth, three dots (…) in a password it more secure against cracking via a rainbow table. But that does beg the question as to whether hackers will start testing multiple dots first.
Advertisements