In our previous visit to passwords (Password 101 – Part 1) we looked at the need for the password in the office environment. This article delves a little deeper and focuses on network password generation.
There is a popular saying that your password should be like your toothbrush, “Change it every three months and don’t share it with anyone else!” The frequency of password changes may be open to some interpretation (personally I am not in favour of regular changes which often reduce the very security it is trying to enforce) so an appropriate policy will vary depending upon the compliance requirements of the organisation. The second half of the soundbite, the suggestion of maintained privacy, is unquestionably good advice. During his time at a large multi-national company our very own Peter Hinton worked in an environment where disclosing one’s user name and password to a colleague could result in an on-the-spot dismissal. This is certainly one extreme of the scale but, taking the other extreme to be an environment where all users can log on as one another, I certainly hope that most organisations are somewhere between but closer to the former than the latter.
My focus in this article is on a user’s network password – there are a huge number of sites and services we use which require passwords and these passwords can be made fiendishly complicated and impossible to guess partly because we can have them saved (encrypted and backed up) on the computer somewhere. However we still need to get past that first logon screen.
One of the obvious but often overlooked principles is that the PC/network logon password must be memorable for the user. If the password is impossible to learn the user will simply write it down. On more than one occasion I have found a user password written on a post-it note…….attached to the monitor. (Top draw of the desk is the next favourite place to look, followed by under the keyboard).
Users should keep two key vulnerabilities in mind when choosing a password – the ‘dictionary attack’ (where the hacker simply attempts to log on using known words in a sustained, automated process) and the ‘nosy colleague vulnerability’ (where someone who knows you may make an educated guess at your password – date of birth, pet’s name, etc.)
The dictionary attack becomes thwarted to a degree by avoiding a password which is just a single, known word. One can start by using two (perhaps unrelated) words for a password and can be further augmented by replacing letters with numbers (e.g. an “s” becomes a “5”). Anything which adds to the complexity helps though more sophisticated dictionary attacks can be wise to simple letter/number replacements.
The ‘nosy colleague’ threat comes when a third part knows enough to guess your password. If, for example, son number 1 was born on Christmas day then your password of “Noel2512” may be both dictionary attack proof and sentimental, but may be easily guessed by someone who knows you.
My preferred method of arriving at passwords is to use mnemonics and to apply a couple of further techniques to adjust the appearance of the resulting password.
Let us start with the opening lines from a familiar nursery rhyme.
“Mary had a little lamb,
Its fleece was white as snow”
If our password used the initial letters of each word we arrive at
We have already defeated the standard dictionary attack and probably anything else (unless popular nursery rhymes are a regular topic of conversation in the office).
Now we can swap a couple of letters out for numbers
i = 1
s = 5
This is better still. Finally, we will use the shift key with every other character. Mixing upper and lower case letters in a password is good though, when asked to do so, many users only capitalise the initial letter (or risk forgetting which were capitalised if more are chosen). Simply making every other character a shifted one gives an easy to remember sequence. Now we have
with the added benefit that the shifted 5 gives us a special character to end the password.
Try and memorise the above line of characters and you may well struggle. However, I’m sure you remember the opening lines to “Mary had a little lamb” and now, with the simple act of knowing which letters become numbers and which characters are shifted we arrive at a very secure password which is easy to type out – just don’t sit there mouthing the words of the nursery rhyme!
In the final part of the Passwords 101 articles, Part 3, we will look at password security for the wider world beyond our network.
Passwords 101 – part 2
Part of the “May contain nuts” series of short articles discussing familiar topics which we should all revisit once in a while.