By Peter Cochrane, 22 December 2008 09:00
COMMENT
Written at Phoenix Sky Harbor Airport and dispatched to silicon.com from the BA lounge via a free wi-fi service
Can you imagine what a password of the following form might be used to protect '2c93b8819ca8c7d23dbeb628a8'? It is the 26-character password for wi-fi access at a really small (and I mean small) hotel in the UK.
Similarly 'k5f4epxxvypt4gq2' (16 characters!) is the wi-fi password at a modest conference centre in the EU.
Both of these passwords required a payment in excess of $15 per day and delivered the usual ADSL dribble. Not what I call good value for money - a very high price for a really second rate service.
In contrast my hotel in Phoenix, and here at the airport, there is free broadband access at well over 10 times faster than the UK/EU rate. What is more, the access process was straightforward and convenient. No phone call or hike down to the reception desk to collect a token and pay the bill. And more importantly, no time wasted trying to type in an incomprehensible and long string of meaningless characters.
Typing in something of the form 2c93b8819ca8c7d23dbeb628a8, usually making at least a couple of errors, and the whole process seems way over the top for any application. What are these people trying to protect?
Now for another observation. The password and PIN for my bank account involves a total of 11 characters, and the door access code of many company offices I visit only use four or five character key codes.
From all of this I have deduced two things:
- A new theory of passwords for the real world that seems close to reality: The length of any password is inversely related to the value of the assets being protected, and as a consequence, the inconvenience of access is similarly related.
- The access code to the main vault at The Bank of England is probably only two characters which may well be written on a Post-It and visible to all on a notice board close by
Comments
There are 6 comments. Join the discussion
1. drew stephenson
Call it "Cochrane's Law"
There's plenty of supporting evidence round here. Thinking about it, there's probably a corollary including the frequency with which you're required to change it as well.
2. Ian Ashton
Spot on Peter. To get into my online EDF account I've been supplied with 3 numeric keys. The upshot is I never use it. And I've lost the letter containing them.
These sorts of unintelligible passwords practically force people to write them down (unless they've done some memory training?) The motive seems to be to pass the security buck back to the customer rather than helping them to use strong and secure passwords and keep them in their heads.
3. Simon Allen
Yeah, true. It's just another form of @rse covering. @We told you to change your password and to add 15 random characters that change every time you log on - but you wouldn't listen"
I keep all my passwords in a secure, encrypted file. So it is true that a master p/word will reveal them all but if someone sticks a gun up my nose - I'm gonna tell them the password anyway!
4. Peter Cochrane
Drew = I just love those idiotic systems that close down access when keyboard activity ceases for more than 3 - 5 mins. I think of them as suicide generators! Peter
5. Peter Cochrane
Ian = Good observation - buck passing has moved on from being a sport to become a profession in its own right! Peter
6. Peter Cochrane
Simon = I think we need a new discipline of 'Pragmatic Solutions' where now @rse is tolerated! Peter