By Tony Hallett, 4 December 2003 13:39
COMMENT Recent website security scares have brought home the importance of a sensible approach to passwords, at both the personal and corporate levels. Tony Hallett reports on what the industry is saying - and whether passwords are enough.
Tricky things, passwords. They are our most common way of safeguarding digitally stored information over shared media but they are fraught with contradictions. Most obviously, the safer they look - in terms of length and mix of characters - the harder they often are to remember, making them dangerous when end users write them down. Meanwhile employers are increasingly being told passwords - meant to make things safer - are not just frequently insecure but costly to support and legally contentious.
Consider help desk costs. There is a general consensus that resetting forgotten passwords costs companies around £10-30 a go and can account for between 30 and 60 per cent of helpdesk calls.
"And this will increase with stronger password rules," says Rudolph Huber, VP identity management at ASG.
Typically most enterprises with an established policy on digital security require their staff to change passwords - per client or per application - every 30, 60 or 90 days. This adds to those help desk enquiries but is seen as best practice, as is preventing the use of similar passwords or ones that have been used before.
One member of a marketing department at a company that preferred not to be named told silicon.com: "I used to have three passwords that I'd rotate but they don't allow that anymore."
In general, besides changing them regularly, tips include:
- Never use words that can be found in a dictionary - even in combinations - or common proper nouns.
- Make them at least eight characters long and substitute numbers for letters in some cases, for example a 5 for an S.
- Never use passwords across different systems or websites.
- Don't assume someone else won't know you and be able to guess the name of your next door neighbour's cat, for example.
Roy Hills, technical director at security testing specialist NTA Monitor, adds: "Where unlimited password length is available use a sentence - either a phrase known to you or a film, song or book title."
In a similar vein, experts encourage the use of mnemonics. Gunter Ollmann, EMEA manager of security assessment services for ISS, says: "A trick is to think of a longer memorable pass phrase such as 'Oh what a lovely bunch of coconuts!' and only use the first letter of each word, namely Owalboc." Taking on board some of the earlier pointers might leave you with Ow4lb0c.
Such concrete advice, however, often falls on deaf ears, though a recent survey showed the UK is far from the worst off in Europe. A user name and password survey conducted by Rainbow Technologies this summer of 2,500 IT admins, management and security professionals showed 50.5 per cent of users writing down their passwords - with a shocking 5.5 per cent writing down every one they have - but UK users more likely to be asked to mix letters and numbers. The figure stood at 51 per cent versus just 28 per cent in France.
The same study found that, perhaps as a result of less stringent policies, those in Germany and in France have to have their passwords reset by IT departments less often than in the UK. The proportion of end users in companies making that embarrassing call was 22 and 30 per cent respectively over there as opposed to 44 per cent in the UK. But this brings us back to the issue of 'strong' passwords.
David Williamson, UK and Ireland director of sales at Ubizen, says: "It is a complete myth that security is improved forcing users to change passwords monthly and using a 12 multi-character format, including numeric and upper and lower cases, which are complex and unmemorable."
What's the answer then? Biometrics? Research from Frost and Sullivan estimates that market will reach $2.05bn by 2006, up from a paltry $93.4m last year. However, fingerprint readers, iris scanners and the like are some way from being ubiquitous. The answers that some are touting revolve around single-use or single sign-on software and appliances.
UK start-up Swivel backs the generation of 10-digit one-off passwords conveyed to users with PIN protection, meaning key-logging software in an internet café, for example, wouldn't be a danger. RSA Security, one of the biggest names in security, also offers its SecureID token for passcodes that are good for 60 seconds.
Similarly, Aspace Solutions has developed an in-house system for Cheshire Building Society based on a secure audit log. Entries are time-stamped, digitally signed and chained to adjacent entries using encryption based on a hardware appliance from nCipher.
It sounds complex and at a pure technological level it is. However, there remain some other obvious things companies and individuals can do.
To avoid a stream of confusing and easily forgettable codes work out when you need 'low-', 'medium-' or high-security' passwords, maybe corresponding to webmail log-ins, office systems or online banking.
Revealing passwords to anyone is obviously a no-no. "Avoid divulging passwords in just the same way as not walking around telling people your [ATM] PIN or the code to your burglar alarm. Put simply - don't tell anyone," says James Warren, GM at Bullet Online, a web services company serving marketing and PR sectors.
Legally speaking, there are considerations. Simon Halberstam, partner and head of ecommerce law at Sprecher Grier Halberstam LLP and Weblaw, points out employee contract confidentiality provisions should cover the disciplinary consequences of breaching security or internet use policies. Legally binding arrangements should also be made for freelancers and temporary workers, who are often a corporate weak point.
Joanne Brook, partner and part of the technology and media department at Manches Solicitors, adds that when an employee leaves they mustn't be able to take passwords with them. When this happens they can either lock others out or go on accessing systems externally.
For those who will continue using written passwords - and let's face it, that means most of us - there are straightforward tips and ways of going about our digital business. For companies concerned about fraud, access to mission-critical systems and other areas, it is clear the humble password won't always be enough.
And even now, there is little reason to be caught out.
What are your tips for dealing with passwords? Got any good mnemonics or tactics? Share them (without giving too much away!) by posting a Reader Comment below.
Comments
There are 30 comments. Join the discussion
1. Tom Crown
This website changed my approach to password creation. Something I had not thought of, but now use all the time.
"one of the easiest ways to generate - and remember - a complex password is to think, not in words, but in phrases."
http://www.vanish.org/passwords.htm
2. Kurt Rosenfeld
How do you remeber where a password applies?
When you change a password all sites requiring that password have to be informed.
Is there a service which will do this for me?
Note: I communicate with approx 50 sites requiring passowrds.
3. Dorian Moore
Athough the recomendations are good some of them are also prety easy to break. The switch an S for a 5 approach is so common that most dictionary attacks can break it, as switching those figures is a pretty common approach [though admitedly it does up the amount of words to be tried considerably]
Strict password technology is often let down by bad confirmation security. How many banks use things such as 'favourite film' or 'place of birth' as security checks? Those are poor choices as a little bit of social engineering can go a long way in these cases... almost every girl I've had a date with knows the answer to those questions.
And lots of systems that will lock an account after a certain number of attempts will unlock it after an unlimited number of attempts at a pass phrase. Bad bad bad IMHO.
Then again, loads of these sites email you your password in the first place. In plain text.
I think that the problem goes back to a fundemental level of educating the user, rather than enforcing rules. So many people have got jobs with 'computer skills' where those skills are merely accumulated in a bad way. Would you get a job saying you had 'driving skills' if you didn't have a driving license?
Companies should assess the base level IT knowledge of their staff and explain in clear and unpatronising ways the issues, and maybe show them how easy it is to break into accounts. I'm sure if people realised this they would be a lot more wary. It's worked for me every time I've guess someones password!
4. Phil Russell
It's easy to remember a password that's in a format you are familiar with. For example:
Nicole.Kidman@MoulinRouge.com or B.Springsteen@Born2Run.song
are easy to remember (if you are a Nicole or Bruce fan) because they are in an email address type of format
and are secure, containing at least 3 of the four character sets: lowercase, upper case, numeric and 'special'.
With Windows XP / 2000 you are not limited to the 14 character passwords that NT allows, so the possibilities for generating easy-to-remember but hard-to-guess passwords are practically endless.
5. Andrew Mason
I have to admit to using the password on countless systems and webpages. Where stronger security is required, or I can't get away with that approach my tactic is to look around my desk for inspiration. Then mix in some digits. When I need to change it, I first try to make a new combination of the same word. For instance looking round now I see a sticker starting with the word
Monitored. This would become
Monitor3d then perhaps M0nitored then Mon1tored then Monit0red and finally M0n1t0r3d though thats a bit of a paint to type. I only swap one or all letters for numbers though, else you end up with too many possible combinations to remember when you come back from holiday, so it's still pretty flawed.
6. anonymous
I bought my first car from xxxxxx garage - onto which I've added my last x digits of my Armed Forces ID number
7. Adam Callaghan
Simple and easy way to enforce a good password policy is to enable the Complex Password requirement in Active Directory GPO's...
8. Geoff Harrison
I currently have around 60 different things that I need passwords for, whether it's my PC, on-line banking or accounts with Argos or Silicon.com.
I can't memorise them as there are just too many, so I have a password file on my PDA - protected by another password! It's crazy and it's getting out of hand. We need a single way of accessing data, just as we need a single card for all our debit/credit/store/reward schemes. There are just too many of both!!
9. Richard Ash
When oh when will network administrators stop locking maximum passwords at 8 chars (how many 8 char, alphanumeric passwords can I make up and remember?), and forcing users onto clear-text protocols (my site network password has to be used in open FTP and IMAP), including from machines shared with many users. My bank now does not provide a way to change my ID code - they will re-set it for me, but only to a value they choose for me, which I will fail to remember. So it dosen't changed. Making changing you password hard does not encourage secure parctises.
10. Malcolm Cowen
" Never use words that can be found in a dictionary.
- Make them at least eight characters long and substitute numbers for letters.
- Never use passwords across different systems. "
and of course never write them down.
Fine! But if I have to remember 3,4, half a dozen, perhaps even more such passwords, then how can I manage it. The end result is not greater security, but less as people are forced to write their passwords down, because they have no other way to remember multiple meaningless strings.
11. anonymous
Use Roboform - one complex password on your PC (which is pretty secure) which manages all your other password. Note: no affinity to roboform other than a highly satisfied user!!!
12. Clive Hornsby
With 13 systems at work I need to remember 13 different logons plus 13 different passwords, giving me 26 variants.
Add in my additional passwords for home computers, internet sites, mobile phones, keypad door entry systems and credit cards probably gives me around 100 combinations to memorise and reconcile to the application of the password.
These have all have a different expiry dates and there are no standard formats for logon names or passwords as they vary between systems, devices and websites. With minimum and maximum lengths, strong and simple formats, variations on repeatability of characters on expiry, the whole issue is considerably more complex than having one strong password
The advice is not to use passwords across systems (the opportunity would be good), therefore it makes remembering them almost impossible, which is why they get written down.
Live in the real world and suggest how we can survive this plethora of data we have to retain so we can secure our lives. I would advise a standard for logon and password inputs which enforce a strong format. This would minimise the number we need to remember and increase the frequency of use so we do not need to write them down. We would also be more aware of security as a multiple password would provide security to more areas of our lives, so we would be less inclined to divulge it to third parties.
13. anonymous
I recently helped a friend who had to install new software on 45 pcs, in her office on a Saturday. Although she had forgotten to asked them for their screen saver passwords. We managed to guess the passwords on 38 of the 45 pcs! Many used their login, or 'password' or we guessed it by just looking around at what was on the desk and I didn't even know the people involved.
14. Mick Stewart
I used to have a dvorak style keyboard---learned to touch-type on it. Now, back on a qwerty, whenever I need to create a password, I always type as if it were dvorak.
Unless you know someone follows this convention, then even simple words will be hard to crack. Makes it hard for someone to watch over your shoulder, too---the words are unlikely to match an english word, and if it's just a word or two, you can type it in very quickly---no stopping to think "yes, I changed that 'a' for a '4'".
15. Antoinette Carter
Type a whole sentence for a password? Are they mad? There are people I work with mono-syllabic names, who can't even type that in correctly.
16. Jan Huffman
Roboform is a great solution. One complex password keeps track of all the others. It's powerful and really easy to use. I share my password file over my home LAN so that my passwords (and much more) are available on any attached computer. Everybody should use it!
17. Robsie
SecurID is briliant. We use it across several international clients and it is particularly useful for remote access. It involves a PIN code plus the 6-digit code on the token (which has a 60 second lifespan) so the passwor dis pretty much unique every time it is used.
18. David Cantrill
The one thing this article does not advocate is the use of non-alphanumeric characters, ie $£" and the use of uppercase. Quite often these can be used at the end of a password in combination with mnemonics. So a phrase like "I am going to the bathroom" becomes a password like Iagttb!". In reality the !" is actually just <shift> 1,2 on the keyboard, so it's just remembering the phrase and 1,2 at the end, but pressing the shift key. Even more secure again. Without having to remember anything too compicated.
19. none given
If your password is less then 9 letters and only contains a-z characters, you are up for being cracked. Using any of the 100,000 words in the UK dictionary, the domain admin password can be cracked in about a day. Allegedly.
20. Larry Sherwood
Remember a phrase- preferably in a langugage other than English- then choose the first or second letter of each word, substiting non-alpabetics like @ for 'a', '1' for 'i', and '0' for 'o'. I used to use "By the light of the silvery moon", which translated as "Btl0tsm" or, using the second letter, "Yh1fh10" until I decide to use an expression in French.
21. Andy Sands
The hardest problem faced by companies handling data that needs to be kept secure is getting all their employees to actually buy in to setting a complex password. If you set too many complex rules, people will just figure its easier to phone up helpdesk for a reset or write down their password on a post-it.
The best solution I've ever seen was implemented by a financial services company. They started offering a £100 monthly prize to encourage staff to set strong passwords. They ran password cracking software on their network monthly, and anyone whose password remained uncracked after 24 hours had their name put into a hat for a chance to win the £100.
The improvements were enormous, and the cost of the implementation virtually nil. Just a few e-mails with 'tips on setting strong passwords' and coverage of the prize.
22. Colin Hammond
"When an employee leaves they mustn't be able to take passwords with them."
Interesting, do you search their handbags for them? as an administrator I ensure that user accounts are disabled when an employee leaves. That's all you need to do, initially.
As for personal passwords I decided to change all of mine, thought long and hard for a good one and then found that different security systems prevented me from using it! E.g. it's 12 character, some permit only 10. It's got numerics, some permit only A-Z. So now I have at least 4 permutations of the original. Some standards would be helpful here.
23. Dave
I recently went to a security seminar where each attendee was asked to set themselves up as a user on a newly configured server. (Assign ourselves a username and password)
These new accounts that we set up where then used to prove just how easy it is to crack password using Dictionary and Brute-Force attacks using widely available and free software (downloaded for free from the internet)
All passwords that were set were eventually cracked albeit some took just over a day.
The most important thing to think about is setting a password that is difficult to break, using upper and lowercase and non-alphanumeric characters and avoiding dictionary words. These sort of passwords are then not-commercially viable for a hacker/cracker to try a break (i.e. it costs them more to crack the password than what they get access to is worth)
All passwords are 'crackable' it's just making them as difficult to break as possible. If you truly want something secure then using tools like SecureID is really the only way (the security is based on something that you know (a pin number) and something that you actually have with you (a fob with a randomly generated and constantly changing number))
24. David Bolton
Having been forced to change my password and not allowed to reuse previous words at BAe 12 years ago I devised a simple scheme which still works well today on Windows and Linux. Pick a nonsense word X7Y and add the current month and year - eg X7yNov2003, X7yDec2003, X7yJan2004 etc changing it every time the password had to be changed. Guranteed unique, non repeating and easy to remember.
25. anonymous
I find that an old car number plate interleaved with capitol letters spelling the name of the girl I was going out with at the time I had the car is easy to remember yet virtually imposible for anyone I now work with to guess.
26. L Pollock
I keep my scores of passwords and related login names and backup password reset questions ("what's the name of your first pet") in one large encrypted file with a very long password. I believe it's the only way - provided of course that the encryption of the master file is truly up to snuff
27. Dale Wilson
Its not a question of is my password good enough, its a question of is my system good enough to ensure my password cant be cracked or stolen.
Several times i have forgotten passwords and gone online to download tools to circumvent the problem. Its shocking the tools are easily accessible to bypass password entry.
28. Mike Eman
I try to teach this method to people who say they can't remember long passwords.
Write down a very short word in clear text on a note, for example: "HEY" then write the pattern H with the keys on your keyboard, then E and so forth. You only have to remember what key you should start with and the direction in which you "paint".
HI could be rendered:
3eDCfg6yhN9iJn
You could put the "HI" on a stick-it and have it on your monitor, as long as noone sees you, when you paint it in, you should have a fairly good password.
29. Martin Vlietstra
Another approach to secure passwords is buy a dictionary in a foreign language (for example an English-Xhosa dictionary unless you are have connections with Southern Africa) and to use Xhosa words as your password. You need to keep the dictionary at home, but you can always write "cribs" should you need to recall your password - eg your crib for the password is "nko5i" is "God". ("Nkosi Sikelel' iAfrika" (South Africa's national anthem), translates to "God bless Africa").
The main weakness to this system is that you have to be very careful about your use of the English-Xhosa dictionary
30. thomas
You might want to check out codes -- ones fm WWII, Caesarian, that sort of thing. Pick a word you can remember (NOT in the dictionary, etc.) and drop each leter in this word down one, two or three places. If one of them is a letter like 'a' or 'b', change it to a number. Write your name from front to back, interspaced with numbers ascending or descending. Make it a game.