The Insecurity of Password Security

Astonishing, Shocking, and Surprising

I have skimmed over several posts the past day-and-a-half detailing the apparent shocking statistics regarding the lack of thought and security we end-users place when conjuring up passwords.  Gasp! Someone actually used 1234567 as a password?  Security consultants around the globe are printing these articles en masse, building their long awaited nuclear arsenal of “I told you so”s and “I tried to warn you”s.

Maybe a better study would be: why people make their passwords so easy.

Passwords like 111111 and iloveyou are not proof that people are ignorant and apathetic when it comes to proper password security, we just don’t know and don’t care.  Take a moment and count…how many passwords are you supposed to remember on a daily basis?  Me?  In one short minute I could count 39 personal and 50 work-related passwords.

Want to know the code to someone’s ATM card?  Just ask them their voicemail password.

We just live hectic, noisy existences, incapable of remembering a special ten-character, mixed-case, symbol-included code for every unique thing we do in life.  We just don’t want to remember one more and when we are asked to, it makes us mad.  So we type something stupid like asdfjkl.  We have run out of ideas, depleted our creativity, and locked up our grey-matter RAM storage and have no room for one. more. password.

If the security world wants us to have ‘at least ten characters’, ‘at least one number’ and ‘at least one special character’, how in the world is the average user supposed to remember that safe, secure, special password for their email account, Facebook and Twitter, online banking, eBay, Washington Post and the New York Times, iTunes, Audible, XMRadio and Consumer Reports online, Del.Icio.us, Carbonite, DropBox and Instant Messanger Client (for three different platforms), and on and on and on.  As we grow towards the cloud, both in business and our personal lives, the need for a true two-factor universal identity management system is crucial for electronic security.

Security Drives the In-Security

The only thing excessive password rules serve is to generate the most insecure tool of all password protection – the 3M Post-it Note.  What happens when ridiculous rules are applied to end-user password creation?  The users’ write them on the nearest Post-it Note and stick it to their monitor.

I ended up with sore abs last week laughing so hard when I dropped in on a colleague who was having some troubles with his machine.  And what to my wondering eyes did appear, but two 3M Post-it Notes with passwords to cheer:

No kidding, this guy had four, count them, four different passwords right there in plain sight stuck to his desk for the entire world to Xerox into their inner memory banks.

Oh wait that’s right, you’re the type that would never dream of doing such a security circumventing type of activity.  Instead, you place your sticky-note in the top right corner of your inside desk-drawer where no one would ever think to look – certainly not the after-hours cleaning crew trained in the art of kung-fu change pilfering from the tops of desk drawer organizers.

Or how about the Excel spreadsheet with all five hundred passwords you have ever created right there on your Windows XP desktop.  Labeled, not surprisingly, passwords.xls.

The Problem Defined

Herein lies my reprove of common password security rules:

1. Make your password at least eight characters – I have no real issue with this especially on a Windows network where LanMan is disabled.  If your reasoning for more than seven characters is because of the LM Hash vulnerabilities, then why not force the Windows passwords to be 15 characters?  Or better yet, try turning off LAN Manager.  I like this rule because I’m too lazy to try and guess much more than four or five characters.  After that, computers make the guessing easy.
2. Add at least one number.  Really?  Just one?  And who, when their password gets rejected for this rule, doesn’t just add the number ‘1’ to the end of their recently rejected creation?
3. Change your password at least every nn days.  And why exactly is this?  So that if the password is compromised, suddenly it will be different?  If the end-user finally remembered their password now they could write a new one on a Post-it and stick it to their monitor?  Right, instead of rolltide1, I would never think to try rolltide2, or rolltide3.
4. Add at least one special character.  This is the security/insecurity piece de resistance.  For those not fluent in 1337 speak, this is the equivilant of the Ovaltine secret decoder ring Ralphie Parker used in Jean Shepard’s 1983 film, A Christmas Story.  Instead of typing a ‘t’ you substitue with the leet equivilent of ‘7’.  Instad of the letter ‘s’ you substitute with ‘$’ and so on until ‘cromptonsucks’ ends up looking like ‘cR0Mp70N$uCks’.  What an ingenious scheme, for I never knew it was harder for a computer program to generate the letter ‘a’ than the symbol ‘@’.  And, of course, all of those extra symbols and wing-dings certainly would never drive us non-creatives to falter and reach for the nearest Post-it, lest we forget our super-secret creation.

A Solution

My proposal, if nothing more than to make the Security Elite cringe with disdain, is to create for yourself three passwords, using the following rules:

1. Password 1: should be really easy to type and remember.  You would not mind sharing it with a close friend if you had to.
2. Password 2: should be semi-difficult.  Try at least eight characters and add at least a number or two – and not the number 1 at the end!  Think of something no one would guess and you won’t forget.  Try an acronym like ‘There Are 9 Planets In The Solar System” (oh shoot, that’s not right anymore?) and make it “ta9pitss”  You get the point.  If you like to ride motorcycles, don’t make it harley1 or iloveprincessleia or something anyone who knows you would guess.  My take is most people are lazy like me and view password guessing about as entertaining as watching paint dry.
3. Password 3: make this one difficult.  And long.  And add all the doofy security stuff.  don’t ever give this one out.

Remember these three passwords and don’t write them down anywhere.  Now that you have your three stooges, put them to work:

1. For the sites you really don’t care about and don’t hold any personal information, use your easy password.  Use your easy password for things like Facebook and Twitter.  Think about all of the not-really-big-deals you work with every day.  It’s probably not going to break you if someone hacks into your AIM account or steals your Consumer Reports online information.
2. Use the next difficult password for those borderline sites.  Would it really hurt if someone hacked your Facebook account?  There should be no financial information and everything posted is known to the world anyway, or at least anyone that matters to you.  How about your Hotmail account?  You decide, but if you have a decent, medium-level password, your chances of getting hacked are slim and the ramifications of a hacked email account are normally not life-threatening.
3. Save the third and most difficult password for the financially damaging tools.  Use it on your Paypal (and eBay since they are so close) account, online banking and investing.  Use it anywhere you have financial information stored.   You wouldn’t want someone to hack your Amazon account and start One-Clicking 60” Plasma’s to an alternate address, right?  And try not to store it in the ‘saved passwords’ section of your favorite browser, either.

Most importantly, be smart.  Watch where you surf and where you click.  If you don’t know what a phishing scam is, use the Internet and study up a bit.  Understand that a ‘Yes’-‘No’ box could easily read ‘Click Here for A Virus’ and ‘Click Here for a Virus, too’.  The programmers’ determine what the boxes say, not the browser.  And please, don’t write your passwords down.  On a Post-It note.  And Stick it on your desk!