In Praise of the PassPhrase
One of the longest serving technology security methods is the password. On the surface it seems simple and cheap, and for many companies it may be, but the reality is that passwords have serious flaws and dangers. Some of these exist as part of a trade-off between security and ease of use and others due to the mish-mash of separated systems we run into in a corporate environment or on the internet in general.
But we really can’t fix a problem if we don’t know what it is or understand the different factors that play into an effective solution.
Effective passwords are a struggle between locking out those who should not have access and providing a quick interaction to those who should, complicated by users who try and keep their lives as simple as possible. On the computer and administrator side, we have the ability to set and enforce characteristics of passwords. “Your password must be at least ten characters long and contain a special character” is part of this. This is a response to users trying to set incredibly simple passwords or having none at all. But the response has swung the pendulum the other way and actually made security worse in many aspects.
By forcing people to have complex passwords for many different sites, and some that change often, we force them to have to manage those passwords. This “management” often takes the form of paper notes or obviously-named files that serve as an easy target; we’ve even heard the term “sunflowering” to describe the array of sticky notes that can grow out from a monitor to manage passwords and information.
Human minds for the most part are not set up to remember complex strings of data; a popular work suggests we are limited to about seven “chunks” of information at one time, plus or minus two. Things such as music and words we’ve a talent for because they have a flow to them that stretches the information out over time, but items that don’t flow together logically, such as “4jOq6tn!9” take work; so what we really ought to do if we want to eliminate the need for this form of password management while keeping the security benefits is to make passwords easier to remember. Oddly enough, we can do this by making passwords LONGER.
Long passwords have been mis-framed in most people’s minds; longer does not necessarily mean more complex. However, in most password attacks it does mean harder to crack. The length of a password is often more of a factor in its security than whether or not it has special characters. Additionally, guessing of passwords and “shoulder surfing” for passwords is much more difficult when the passwords are longer. The key is to think of it not as a pass WORD, but a pass SENTENCE.
Since spaces and punctuations are valid characters for windows passwords, using actual sentences takes no extra brain power to have to remember. Concepts like “I’d rather be golfing,” are a good starting example, albeit we also want to design something that can’t be easily guessed. If your administrator requires capitals and special characters try “Next year: Maui!” Have an older woman who can’t remember passwords? Try her with “My grandkids are cuter than yours!” and see if she forgets THAT one!
That last one is 35 characters long; most of the password evaluators I’ve seen won’t go above 20 characters, because after fifteen characters the amount of computing power needed is unlikely to exist even in distributed botnets for the foreseeable future. If we believe that seven “chunk” limit earlier, we have effectively switched the chunk each letter or symbol took up in our minds for a word composed of multiple letters or characters, making the password much harder to crack and most likely easier to remember at the same time.
Now if only we can get people to not share their passwords…