Blown To Bits

Passwords

Thursday, September 11th, 2008 by Harry Lewis

Passwords are a nuisance. As a security technology, they have many problems.

  1. If they are complicated, or consist of meaningless strings of symbols, we forget them.
  2. So we pick strings that are easy to remember, our children’s names or our birthdates. Then either
    1. They are easy for attackers to guess, and aren’t secure at all, or
    2. (As now commonly happens) the site won’t let us use such a simple password, and we have to come up with something stronger.
  3. If we try to make passwords easier to remember by using the same password for multiple sites, then the security of the password is only as strong as the security with which the most amateur of those sites protects the password data. So if you are asked to create a password for access to a web site that seems sketchy, don’t use the same password as you use for your financial data, because it could be a scam; the scam artist may be able to figure out your bank or credit card number from a statement you threw out in the trash and may try the password with that account.
  4. Because passwords are a nuisance to keep re-entering, single passwords sometimes give access to lots of information that could be split up to increase security.
  5. For the same reason, some services don’t log you out after a period of inactivity. This is one of the worst security problems with Facebook. If you forget that you have left yourself logged in and allow someone else to use your computer, even days later, they have access to your profile — and also to all the information that your login enables you to see about your “friends.”
  6. Systems with default passwords, so that they work “right out of the box” but advise you to change the password for security reasons, are extremely vulnerable. Anyone who knows the default password, perhaps because they used to work with the supplier or have used the device or system themselves, or can guess it ¬†(“admin” and “0000″ are good to try),¬†can break into yours if you take the easy way. Here is a nice story about someone stealing gasoline from a pump that had not had its security code reset by the gas station proprietor.

Personally, I have several passwords, and I try a pyramid approach: A low-security password for a large number of sites that have no information on me worth protecting; a high-security password for a very small number of sites with very valuable information, such as credit card companies and banks; and a couple of layers in between. A lot of people I know seem to use a scheme like this.

But here’s a nice idea used by one fellow I know. He uses an algorithm to combine the name or URL of the web site with some personal information to produce site passwords that are different for every site. To take an overly simple example (he didn’t tell me his exact method), if this site (bitsbook) needed a password, I might append my first name to it, to create the password “bitbookharry”. That would be too simple — you’d need to break up the words, insert some nonalphabetic and capitalized characters, etc. But the basic idea of just having to remember a single algorithm, which you can apply to the URL along with some easily remembered personal information, sounds like a good trick.

But really, we need a different security mechanism (and there are some; perhaps more on that later).

2 Responses to “Passwords”

  1. Blown to Bits » Blog Archive » Sarah Palin’s Email Says:

    [...] Passwords [...]

  2. Writing Secure Code - Links - September 26, 2008 | Programmer's Edge Says:

    [...] Passwords — This blog post from the "Blown to Bits" blog talks about problems with passwords. On a personal level – you should have a random password. No words. Just mix of characters. From a developer perspective – do not write your own login code. Almost all frameworks now have their own login subsystem – leverage that. It will allow you to focus on code that is actually core to your business application. Or as I would think – I would not want my friend Quan writing my UI but he knows how to write awesome security code. I know my friend Josh knows how to make awesome looking UI – he shouldn’t be writing my security code. And from an enterprise level – make sure you are adopting  comprehensive access products such as Oracle Access Manager suite. [...]