Sunday, April 22, 2012

Password Rules Explained

So you pull up a really cool web site, or what you think will be a cool web site, only to realize you can’t get to anything without creating an account.  Ok, you really want to get into the site because it’s where all the cool kids are, so you start creating an account.  After trying a bunch of different usernames, you finally find one that isn’t taken.  Almost there, you think.  It’s easy sailing now.  You enter a really simple password and this popup appears with a ridiculously complex list of reasons why your choice is too weak to use as a password.  Reasons like a password must be X characters long, with so many lowercase, so many uppercase, so many special characters, so many numbers and no words from any dictionary from any language.  What?? But you really want to get into that site, so you keep trying all kinds of crazy combinations until you find one that works.  By that time, you probably can’t even remember why you wanted into the site so bad in the first place.

Then after getting hooked on the site and you finally got to the point of remembering your password and typing it correctly on the first try, you get the popup saying it’s time to change your password.  Arghh!  Oh, and by the way, you can’t use any of the 6 passwords you previously used.  Yep and remember not to type that new password wrong too many times or your account will be locked.  Sound familiar?

It seems like all of a sudden there are a lot of crazy rules for passwords.  Here are a few simple explanations of some of the more common rules:

Password must be X characters long:  It’s a fact that shorter passwords are easier to crack because there are fewer possible combinations.  Say the available character set for a 4-character password is 10 numeric characters, 0-9.  That’s a basic ATM PIN.  The number of possible combinations is 10,000. It would take a little time to try all those combinations, but not an impossible amount.  Now if the password length is increased to 8 characters, using the same 0-9 character set, the possible combinations jump up to 100,000,000.  Still not impossible to try, but much more time consuming.

Passwords must contain a combination of uppercase, lowercase, numeric and special characters:  Adding more characters to use in a password really increases the number of possible passwords.  Expanding on the above example, increasing the character set to include just 26 single case alphabetic characters increases the number of possible passwords up to 1,679,616 for a 4-character and way up to 2,821,109,907,456 for an 8-character password.

Passwords must not be words that appear in a dictionary:  Using large character sets with longer password lengths leads to a huge number of possible passwords.  Since it would take a ridiculous amount of time to generate and try every possible character combination, password cracking tools start first by checking against lists of common words.  Some tools rank words by popularity, under the assumption that certain words are used in passwords more often.  Using character combinations that don’t resolve to known, common words helps defeat this type of guessing.

Passwords should be changed on a regular basis:  This is one that a lot of people have trouble understanding.  Why go through the hassle of changing a good password?  It’s Simple.  How do you know if somebody has compromised your password?  You probably don’t.  By changing a password, you close the door to those who may have compromised the previous password and if they want access back, they have to work at it more.

Passwords shouldn’t be reused:  Changing a password regularly is good, unless the same few passwords are used over and over.  Since you don’t really know if a password was compromised, once it’s no longer used, it should remain that way.  Otherwise, anyone else who may have known your password just has to be patient and eventually when you reuse that password, they will regain access to your account.

Accounts should be locked or disabled after so many consecutive failed attempts:  This is just to prevent brute-force password guessing.  Even temporarily locking the account after 5 failed attempts really slows down the guessing process.

Each of the above rules are marginally effective on their own, but combined together, they really do help keep your account more secure.  The idea is to make guessing the password more trouble than it is worth.

Some other things to think about related to passwords:
  • Always change default passwords – well known and default passwords like “password”, “changeme” and “qwerty” are just as bad as not using a password in the first place.
  • Don’t create passwords from information readily available to others – as more and more people post tons of personal information on-line, it is becoming much easier to guess passwords.  So if your dog is the center of your universe and you post hundreds of photos and messages about your dog, there’s a really good chance you will create a password that involves either your dog’s name or something to do with dogs.  That’s just human nature.  The same holds true for the “secret questions” that a lot of sites use to allow you to get your password reset or mailed to you.  Pick questions and answers that don’t appear attributed to you on-line.  There was a really high profile case a few years back showing this.
  • Don’t share passwords with anyone – this should be self-explanatory, but people still do it for some reason.
  • Don’t use the same password for multiple accounts – unfortunately this is fairly common.  It’s easier to remember fewer passwords.  However, if somebody does successfully compromise a password, they will try it on other accounts as well.
The bottom line is to not make it easy for somebody to access your account because of a weak password or weak password practices.  The casual hacker will only exert a certain amount of time and energy before moving on to an easier target.  Don’t be the easy target.