Mark Amory | 3 July 2012
I read a magazine article this week all about passwords and who want to get their hands on them, why they want them and the steps we could take to make their lives that bit more difficult.
It was a relatively interesting article, and although it did offer some usefull tips such as not using the same password on multiple websites, and for it to be a minimum of 8 characters inlength, etc. It didn't get to the crux of what I believe is the real problem with the passwords people choose.
What is this problem?
Well, in my mind, the problem is with the term "Password".
Think about it...."Password"...
What does the term "Password" conjure up?
That's right....a WORD, singular, in a dictionary, memorable, but above all else - crackable.
In offices up and down the country we are told (probably every 30 days) to create a strong passWORD that meets the designated complexity rules. Whilst all this is good practise to increase the strength of the passWORD, what we are failing to recognise is that we are asking humans to make up these passWORDS and irrespective how eloquent our use of our chosen language may be, most people have a limited daily vocabulary. So when prompted, under the added stress of a heavy workload, to think of a new passWORD, we revert to form and choose something that we will remember, and because we've seen the term passWORD - that's what we choose - a WORD.
"Ah! - Not me", you cry "I've used a word that's not in the dictionary" - again, spot the term WORD - trust me, if it's a word of ANY sort, the fact that it is a WORD it will be in a dictionary somewhere, and those wiley hackers have got digitised versions of ALL forms of dictionaries at their disposal. A quick google search for "password dictionary lists" turns up hundreds of links to downloadable txt files.
I'm not going into the length of time taken to crack any given passWORD, as that's not important here - the fact that it CAN be cracked is enough.
So what I'm going to do is offer a way of creating somethingthat is complex, but memorable at the same time.
What I'm offering here is not a revolutionary new technique, and some of you reading this may well have heard it before and may even use the technique already - if so, you have permission to sit back with a look of smug, self-satisfaction! For those others, here it is....
It's a passPHRASE.
There....Simple isn't it?
That one change of the term WORD to PHRASE is all it takes.
So, instead of a passWORD of "sunshine" (or SunSh!n3) which are both included in common cracking dictionaries, you could use a passPHRASE of "Il0veS!ttingintheSunsh!n3".
Yes it might take all of 15 seconds to type out, instead of the 3 or so for the other one, but that passPHRASE is much, much stronger than the passWORD varient and would necessitate a brute force attack to crack it instead of a dictionary attack, which takes a LOT longer.
Now, don't get me wrong, this is not the only thing that needs to be done to strengthen our accounts, the storage mechanisms of such passPHRASE data need also to be examined - the use of salts, truely strong encryption algorithms, etc. but that's for another day and another techy to discuss. At least we can all now make life a little more difficult for those that seek unauthorised access to our systems by swapping the term WORD with PHRASE.
Now, instead of spending valuable time flicking between reading all these wonderful blogs and playing bejeweled blitz on Facebook - go get all those account passWORDS changed!