On Passwords

Let's do a survey, how many people you know use "password" as their password or how about "secret"? Or their names? Or even their birthdays? Your password is your key. I have heard this countless of times so it amazes me that there are many around me who still choose really bad passwords!

In general, your passwords ought to contain a good mix of characters (in uppercase and lowercase), numbers and symbols. It should not be an English word nor should it be something that can be linked to you. Now if you follow this closely, you will probably end up with a password that is a real pain to remember.

Some organizations require you to change your password every two to three months and they record your last three or four passwords so that recent passwords cannot be recycled. It has also been recommended that you have a different password for each application. That means that for an average web server with two online or remote accounts, he or she would have to create and remember around ten passwords over the course of a year. That's quite a bit of memory work just to get into the system.

I once saw this program which serves as a password vault by storing passwords and other account details in an encrypted file. In this way, the user only needs one password - the one to decrypt the encrypted file. The flip side is that if that password is ever broken, then all the other passwords that are stored through the program are compromised.

Program designers are painfully aware that users have a knack for choosing poor passwords and have come up with some interesting tricks to tackle this problem. Some programs give real time feedback on the strength of your password as you key it in. Others increase the entropy of the passwords through salting and peppering - procedures that are transparent to the user.

The importance of choosing a high entropy password arises because of the ability of the computer to crunch through routine and ordered tasks. Passwords consisting only of English words are easily broken by dictionary attacks while structured modifications like replacing the 'i' with '1', 'o' with '0' or adding a digit at the end can be replicated through code.

There are tools that can help to generate high entropy passwords. These accept a seed, password or passphrase and use cryptographic hashes to generate a seemingly random string of characters. Now while it is good practice to have a really strong password, the effort can come to naught if the user is simply unable to remember it. This in itself leads to a totally different problem.

Update: I've been told by a friend of mine that I should - to be politically correct - say that the hashed string of the password is recorded instead. I'ld say that this is not only politically correct but technically correct. Thanks Jiinjoo!