Here's a little quiz. How many passwords do you have? How complex are your passwords? How do you remember your passwords?
Personally, I know more than 100 passwords. I remember passwords to all my accounts, all my computers, servers, databases and most of my clients systems also. As a general rule of thumb, passwords I create are relatively complex and considerably strong. I use upper case, lower case, symbols, avoid dictionary words and have at least 8 characters in my passwords (at least the ones that matter). I do this because of the inherent belief that weak passwords are bad passwords. They are susceptible to brute force attacks.
But does that really matter in the long run? A new paper published states that it's really not that important. The paper is easy to read and well worth it, but I'll summarize (and improvise) here.
Lets start with the first key problem with passwords: Who are you supplying your password to, and how often do you reuse the same password?
Your password can be 102 characters, use every symbol and be generated by putting tape on a cats foot and letting it run across your keyboard, if you use this password more than once you could be opening your self up to a severe spanking, depending on where you use it.
Some sites still store your password in clear text. This mean, in their database, there is a simple string that has your password in there, in all its 102 character cat induced glory. Any database admin (or maybe even a low tech, customer support rep or bored manager with too many privileges) can see what your password is (not to mention the ever so dangerous possibility that the site you are logging into can be hacked). And with a little bit of research, can probably learn a lot about you and be able to use that password elsewhere that you have. (do you have the same user-name in multiple places with that same password?). It is almost ALWAYS a bad idea to store passwords in plain text. But how can you tell if the application/web site you are using is storing your password in clear text? Simply, you can't be sure, but if the site will send you your password to your email address, they are either storing your password in clear text or a two way hash (which is almost as bad)
So to avoid this possibility, you generate a new 100 character password, with all the bells and whistles, for every site you give your password to. The downside of this is it's getting harder to remember your password (and your cat is starting to glare malevolently at you and your keyboard now). Even if you degrade it to 10 characters, it still starts to become tiresome to remember all your random passwords. So now you rely on other tools to remember your passwords for you. Maybe you save your passwords in your browser. Maybe you write them down on post it notes stuck to your screen. Whatever it is, you are a secure trooper, knowing that if one password is broken you will still be safe.
Unfortunately, now we enter the biggest threat to your passwords: Trojans, Viruses and Bears oh my! (alright,not really bears).
Unlike the brand used for protection, a computer Trojan is one of the most detrimental things you can encounter in the online world (right up there with with people who use smiley faces after every sentence). A key-logger Trojan will record every key, click and action you perform. This means it will record every site you go to and every password you enter for that site. It will then send that information off to it's mother ship and before you know it, all your passwords are hacked. A virus can read all your stored passwords on your system and send them off.
So what does that tell us? First, it tells us that we really need good antivirus software on our computers. Second it tells us that all our efforts at keeping our passwords secure can come to naught very easily.
This is the crux of the paper: Adding strong requirements only complicates users' lives and does little or nothing to ensure safety. In the end, if someone wants your password bad enough chances are they can get it.
But service providers (aka, web sites) should do something to help mitigate the damage. First, no one, and I mean no site ever, should use plain text, and should almost never use 2 way hashes for passwords. Second, if using a 1 way hash, they SHOULD use a complex one as not all one way hashes are created equal (I'm looking at you, MD5!). Third, all sites should implement a lockout feature for failed log ins. This one aspect alone can pretty much eliminate brute force attacks (unless of course, someone gets a hold of the database from the outside)
Subscribe