FlyerTalk Forums - View Single Post - Password "security" ?
Thread: Password "security" ?
View Single Post
Old Jan 22, 2016 | 10:20 am
  #14  
lwildernorva
All eyes on you!
15 Years on Site
 
Join Date: Aug 2010
Location: ORF
Programs: Amex Plat, AA, BA Silver, Marriott Plat, Choice Gold, HHonors Gold, IHG Diamond
Posts: 3,860
Principles of mathematics explain the rules of password security pretty well--since they're used both by security personnel and hackers--so that you can understand the rationale for your IT department's rules. Ignoring for the moment the likelihood of use of a popular password--such as "password"--the limit of password possibilities is established by the number of available characters with the number of characters in the password indicating the number of times I multiply the number of available characters against itself. The keyboard I'm using for this post has 92 different possible characters, counting each letter twice for uppercase and lowercase (thus, the rationale for some IT departments requiring at least one uppercase letter in a password).

For the purposes of an example, I'll also ignore normal minimum password length rules for a moment (although the example illustrates the reason for the rule). If my password is 2 characters long and the password contains all characters--no spaces and no nulls, there are 8464 possible passwords. Give me reasonable access to a computer (a weekend) and no lockout program, and I don't need to use a software program to figure out the password--I'll just keep entering character combinations until I happen on the right one. Now, add in insight to the human probability of using something standard, such as the words "an," "on," "at," or even "pm" or "TD" or the number "10," and I may not need a whole weekend to figure out a password. As you can imagine, a hacker using a computer program can figure out that password in much less than a second.

Now you can see why many password security protocols require at least eight characters for a password as well as numbers, uppercase letters, and symbols (since that uses the full character keyboard rather than just the subset of lowercase letters, which yields only 676 possible two-letter password combinations). Under the same assumptions as above, there are now over 5 quadrillion password possibilities (92 to the eighth power as opposed to 92 squared). You've completely taken human interaction to solve a password out of the equation, but computers can still figure this out within an hour. And now, more sophisticated probability programming (lazy users are more likely to use a word than nonsense thus the dictionary attack gfunkdave references and hackers also eventually figure out that folks will substitute a "1" or "!" for "i" or "I") can shortcut the search by promoting certain more likely combinations instead of pursuing a brute force attack--which makes sense because the longer the password, the more complex the password so a more sophisticated method of attack must be employed.

Finally, the requirement for changing passwords recognizes that with enough time to search, there is no secure password, no matter how long or confusing you've made it. Now, most confusing passwords will withstand attack for a very long time, but as an extra layer of security, IT departments, such as my employer's, have made it a requirement that you change your password every 90 days. The random password generators out there take this principle to its logical conclusion: if your password constantly changes, there is an even lower likelihood that it'll ever be cracked.

So yes, this stuff works, but it's just like putting lighting up around your house, installing locks, getting a guard dog, and buying a security service to monitor your home. The principle in both situations is to decrease the likelihood of something bad happening, but there's no way to eliminate the possibility.

From my perspective, my accommodation to these necessary levels of security is to use an organizing principle to generate my passwords while trying to exceed the minimum security rules--in effect, a more sophisticated application of the use of a familiar name, such as your kid's or your dog's, to create a password. I tend to use my personal interests--golf and travel--to generate passwords that are easy to remember while somewhat more difficult to crack. And I try to consider less used characters (I think we know "1", "!", "@," and "3" are pretty well trod) but in a place where I'd expect them to be.

As a result, last fall, I went to the Outer Banks of North Carolina for a week. My password at work leading up to that trip was "OBX--October." Not impossible to crack, but a lot harder than "OBX". I've also used "I loved playing Pebble!" since the security protocol at work allows spaces between words--not all do. Even something as simple as my hometown, "Norfolk, Virginia" becomes a relatively difficult password to crack because I've used a comma and spacing--still two things that aren't as likely to be used in passwords. This is still an easy password (and organizing principle) to remember while creating something harder to crack than "password1." Since I generally have some trip upcoming, I can also change the password more frequently than every 90 days to account for my next trip.

I realize this post was a bit long, but I think it helps to understand the reasons your IT department pushes the rules they do.
lwildernorva is offline  
Reply