Useless Password Advice

The mainstream press is full of articles telling you how to use secure passwords, like this one in MSNBC or this one in TechNewsDaily. They echo the traditional wisdom on password security — use a long password, put numbers and symbols and multiple cases in it, and don’t record it anywhere.

Well, I suppose there’s nothing wrong with that, but it’s usually not very useful. Let’s look at the advice in the second article above:

1.) Don’t be cute
Okay, they have a good point here. Using a password like 123456, qwerty, password, secret, etc. actually will get your password hacked. If your password is subject to a dictionary attack, it genuinely is very easy to get into your account. Keep in mind that a “dictionary” doesn’t mean the Merriam-Webster one, though — it means a wordlist of common passwords, so things like 123456 and major historical dates and most proper names are in the dictionary. Don’t use them.

2.) Longer is better.
3.) Use the shift key.
4.) Comic book cussing is good.

These three are sort of true, but usually aren’t useful. Assuming all lower-case letters, there are 308 million possible 6-character passwords, yet 208 billion 8-character ones. Numbers, case, and symbols turn that 208 billion to 722 trillion. But for passwords on web sites, it’s irrelevant! To crack a website password, the attacker has to send each guess to the server. The proper solution here isn’t longer passwords for users — it’s password lockout. If after 3 wrong passwords, you’re required to wait just 5 minutes before you can try again, even that all-lower-case-letters 6-character password will require an average of 655 years to crack. Password lockout makes brute-force hopeless — so all your password has to be is something not in the dictionary (for hacker values of “dictionary”). More secure sites like banks could implement progressive lockout — say, after being locked out for 5 minutes three times without a correct password, disabling the account entirely and requiring you to call or otherwise verify your identity.

The one place this is true, however, is for passwords protecting or being used as cryptographic keys. If you have an encrypted file, you want the password to be long and complex, because someone who has the encrypted file can try all the passwords he wants as fast as he wants. There’s no server to lock him up — he’s doing the cracking on his own machine! But for web site passwords, it just doesn’t matter at all.

5. Keep it centered.
This is just plain silly. It’s not remotely true that “nearly all” passwords are stored with the last character in clear; in fact, most aren’t stored at all, using a hash check instead. This is a particular flaw in one specific password storage routine. There have been others — for instance, the old NT LANMAN hashes were split such that a password could be broken into 7-character chunks and each cracked individually, so passwords of 8-13 characters were actually easier to crack in some cases than 7-character ones. Must we always figure out exactly what password-storage routines every app and website uses, and craft passwords to match? Of course not.

6.) Keep it fast, keep it mental.
If it’s your ATM PIN, you may have to worry about shoulder surfing. Likewise if you work for the CIA and there are spies everywhere. But passwords you use at home? Probably not a big concern. And what about writing down passwords — why not do it? If the password record is stored in your house, someone would have to burgle you to get it, which is (hopefully) pretty unlikely. Now, writing it down in a place proximate to attack is a bad idea, of course — putting your work password on a post-it on your workplace desk, for instance, or writing down your banking & credit card passwords on a paper in your wallet (right next to the credit and debit cards that identify which banks you use and the ID that shows your name…) is a recipe for getting hacked. Putting a password list into a dedicated device is very secure, albeit excessive for most people.

7.) Remain paranoid.
8.) Don’t double up.

Password rotation and avoiding reuse are actually the best recommendations on the list. For websites, a simple 6- or 7-letter password you change every 6-12 months and don’t recycle is probably a great deal more secure than setting your password to &*Q}}@#$7-=[\?~^.

It’s also very hard to remember to do. 🙂

9.) Loose lips sink ships.
This isn’t really related to password selection like the others, but yeah, don’t tell other people your passwords unless you’re entirely comfortable with them being you. If it’s your spouse, fine, but sharing passwords among semi-trusted groups like coworkers is a bad idea, and giving it to anyone on the phone who claims to need it is a terrible one. (One of the most famous hacks of AT&T’s COSMOS billing system back in the 80’s came from someone simply calling an operator and saying “Hi, this is Ken [the name of the company CEO at the time]. What’s the root password?”)

10.) Don’t turn your back on your computer.
Oh, come on, this is why we have screen savers.

If I were to come up with a list of password security advice, it would look like this:
1.) Don’t use dictionary words, people’s names, or anything you think might be a common password. Make up something unique.
2.) If the password is to something important — like your bank account — change it every few months.
3.) Never use the same password for important things as you use for frivolous websites.

And that would be about it. Short enough to remember.

authentication, mitigations, passwords

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.