Sunday, June 1, 2008

Passe Words

I was editing a database over a VPN connection the other day and was alerted that my password would expire in 12 days and if I would like to change my password now. I clicked "yes" and was given a text field to type my old password, my new password, and my new password again. This was not a new occurrence. I have changed my password before, but now I was reminded of how insane the concept of passwords and security has become today. Three rules, which I know in my gut help strengthen security of information, actually worsen security when applied practically to the general user in this day and age of digital information, web 2.0, and multiple email accounts.

Expiration date on passwords. Passwords now expire like milk and eggs. Who knew passwords could spoil? Some servers require that you change your password every 90 days. Some even sooner. Fortunately, many servers do not require that you change your password ever. Imagine what madness that would be if you had to change all your email passwords, online banking and investment passwords, work related program passwords, and whatever online anything you have an account with passwords (like theater tickets, electric bill, cable bill, phone bill, etc) every 90 days! The benefit of changing your password is obvious. It's harder to hit a moving target. If the password changes frequently, a hacker only has so much time to try to figure out the password. And if you go by brute force and combination of characters, you'd have to start over again each time the password changes. The problem is that people have a hard time coming up with passwords already, and this is made worse by the next two rules.

No repeat passwords. Passwords now must be retired like an aging 007. Right now the rule prohibits users from reusing their last 3 to 5 passwords. Quite irksome. That will at least triple the number of passwords you need to think up. I know that most people are like me--lazy. They won't have a totally different password for everything. Passwords are reused from site to site so they can be remembered. So maybe it's not such a big deal to come up with a new password a couple of times a year. I can always change a '1' to a '2' or a '0' to an "O', or add a "." to the end of the password. I'll just have to remember what I changed. Too bad I can barely remember to take my multivitamin every night.

Special characters for "strong" passwords. Really? Special characters? Now a strong password is considered one that is at least 8 characters long, contains both upper and lower case letter, numerals, and special characters like an ampersand or umlaut. If you consider such a miraculous password, it would be quite strong, indeed. Who would guess that your gmail password is 'Prk)8639' other than a brute force guessing machine? No one, really. And that also means you if you forget it. For a higher level of security you risk a much higher rate of resetting passwords. I'm not sure that's really an improvement in security, then. Another way of looking at "strong" passwords is from a purely mathematical point of view. If you had a 3 digit code you had to create, you would have 1000 codes to choose from--0-9 for each of the three digits. But what if i told you that in order to have a "strong" code, you had to have a number between 0-3 and a number between 6-9? Now you don't have 1000 codes to choose from--you have 672. You actually have fewer codes to choose from, and from a hacker's prespective, fewer codes to try. Of course, when you talk about all the keys on a keyboard with upper and lower case included, there are an incredible number of combinations, and forcing the inclusion of certain characters should not reduce the number of combinations by any great number. But I don't like my options restricted. Is "prk)8639" a weaker password than "Prk)8639"? or even "prk8639"? I believe that these restrictions are mostly designed to prevent people from creating passwords like "ilovejohn" or "221bbaker". It's very easy to use people's personal information to guess their password.

So where does that leave us? I think that following the rules will result in people writing down their passwords. There is no way that the average user can remember several "strong" passwords that are changed every several months. And if more servers require these password rules, it'll only get harder. Doesn't writing down you passwords negate the security? Of course it does. But the servers will ridiculously recommend that you keep your written passwords in a safe place that only you know about. How vague and third gradish is that? Instead of trying to figure out which of several trillion or more passwords yours could be one only needs to find the piece of paper you've written it on and stealthly hidden under your mousepad. Or better yet, you could put that piece of paper in a safe that requires a key. No combinations or you're liable to forget that, too. Just don't lose your keys.

For now, I'll struggle with the "strong" passwords. But if I don't have to use them, it's "123" or "admin" or "god" all the way. Is anyone that naive to use those passwords anyway?