So I see bad passwords all the time as an Information Technology professional.  I have gotten use to being asked on a regular basis to reset password and at one firm I worked at it was close to 70% of my job.  IT professionals are quick to blame end users for choosing bad passwords but I would say that the problem is shared by both users and DevOps.  The developer portion of DevOps starts this problem.  They may set very stringent password requirements.  Corporate management may have read a blog somewhere that inspires them to use ISO/IEC_27002 password guidelines and that is commendable.

Those guidelines in brief are:

  • Passwords or pass phrases must be lengthy and complex, consisting of a mix of letters, numerals and special characters that would be difficult to guess.
  • Passwords or pass phrases must not be written down or stored in readable format.Users must either log off or password-lock their sessions before leaving them unattended.
  • Password-protected screensavers with an inactivity timeout of no more than 10 minutes must be enabled on all workstations/PCs.

I have worked in some organizations that adhere to this as if it were written on stone tablets handed down by a higher power and other firms that believe password policy is to use password as the password.

The problem that we have is that MOST people who have to use passwords are neither Information Tech professionals nor Security experts.  There are lawyers, doctors and all sorts of professions that while expert in their own fields know NOTHING of computer security.  The most common flaw I have found is complex password written down and that is not unexpected.  Can you imagine having to remember R$t7*l15 and that is only 8 characters.  Even if you use a password that does number for letter substitution like the examples below, you still have to remember them all.

  • scuba becomes 5cu8a
  • water becomes w4t3r
  • icecream becomes 1c3cr34m

Your password is no good if you write it down and leave that sticky note under your desk calendar or in your top drawer. Also it is recommended that you have different passwords for every site you login to.  I don’t know about most users but I’m sure that I login to at least 10 different sites per day.  If I had to remember each password that was written similar to 7&Rtj%2m I would have a stack of sticky notes that could cover a car.

TMCP LastPassPassword managers such as Last Pass or @Keeper are a great way to mitigate the issue of writing passwords down.  There are plugins for most browsers to assist with the management of passwords and both platforms have great reputations for being secure.  While an office cleaner may not have the technical skills to brute force your password, they find that putting the piece of paper your password is written on in a pocket is something very simple and who knows where that paper may end up or what someone handed that paper can do.  TMCP Keeper

Best Practices

I have found that using memorable words such as something you like as in Scuba diving or Golfing or Schools you went to make for a better password.  Just using two words a computer would take 6 years to crack one of my passwords and when I add a third word it would take 17 Quadrillion years and that is without special characters or numbers.  Just a capital letter in each word and you can place that capital at the beginning or end to make it easy to remember.  There are other ways to fit the password “Requirements” that you are being forced to uphold and still remember your password easily.

Substitute numbers for letters based upon their appearance. With a little imagination, you can visualize numbers that bear resemblance to letters

For further interest, you can capitalize more than one letter, for instance the first and third, or the second and fourth.

Avoid predictable week-to-week or month-to-month changes. One example of a predictable pattern to avoid: eyesJan01, eyesFeb02, eyesMar03, etc. If someone was lucky enough to discover your password long ago, you don’t want him to be able to predict what it will be in the future.

Check the quality of your password at This Web site performs calculations based on the complexity and “guessability” of your password and tells you how good your password is. Remember that your password is transmitted over the Internet in the clear, so you should try similar passwords instead of your actual passwords to get an idea of the characteristics of a good one.

Organizations are rife with guest accounts, group accounts, accounts with no passwords, a lack of password expirations, passwords that can be easily guessed and opportunities to exploit technical weaknesses or perform social engineering. With all of these easy opportunities, computer accounts with good six-character passwords are only a trifle weaker than those with eight-character passwords. My point is that Security professionals need to focus more on the compliance of good user-account hygiene than on the length of passwords.

Better Passwords