Terminally Incoherent

Utterly random, incoherent and disjointed rants and ramblings...

Monday, September 06, 2004

Do you use a strong password?

I simply can't make myself to use strong passwords... I know I should. But I have no memory for numbers - these things just do not stay in my brain, unless they carry significance. I really do need mnemonic devices to remember numbers. But if a number has mnemonic significance then it is not trully random - and there exists a strong corelative link between me, and my password (If a number is significant for me, then someone could possibly see this significance). And despite that I still use words and significant numbers.

I do not think I'm vounerable to a standard dictionary attack though - I do use capitalization, and I do not use real words that could be found in a dictionary and I do use numerical values. Still, there is no way I could remember a trully random password of an acceptable length... But then again I guess I'm still preaty good at the password deal.

After all I know people who absolutely refuse to use passwords. In fact this applies to the 80% of our user base at work. They will tell me to just make the thing to store their four letter dumb-ass password because there is no way they will remember it. And of course what is the best is the company-wide total abandonment of any kind of password security effort. One password for all accounts policy, combined with a staff trained to blurt out their passwords over the phone, stick them on the keybords, or abuse auto-login features in every piece of software they get is scaring me a little bit...

But then when I think how much hassle would it be to actually re-train the users, and change the passwords policy... It would simply be impractical for few reasons:

  1. Our users do not remember passwords, and will loose them on a regular basis. Which means I will need to keep a database of everyones password and be prepared to answer 10-20 password questions a week. And of course storing all the passwords in one place is essentially the same as "one password for all" scheme we have now. All it takes is for someone to compromise my machine - and they have acces to everyone elses password.
  2. Our email is hosted by an extenral company and so I can't change/reset passwords for the users whenever I want. I need to make a phone call, and make the email/website guys do it. And that is always a hassle. Furthermore this makes the email account passwords essentially static, as users cannot change them themselves.
  3. If I decide not to store passwords, and users loose them they will have to either send me the machine, or I will have to tell them the Administrator password over the phone - and then they are bound to write that down, send it to a coworker etc... If I make them send the machine each time I need to reset a password my boss will kill me or make me pay the fedex bills. Either way - not secure and ceritanly not healthy for me.
  4. Only 2 machines I serviced so far did not have a full complement of trojans, keylogers and other spyware installed on them. And these belonged to the dot-com era e-business developer turned financial examiner, and my boss who is the only person who uses his work machine for work-only-related stuff. Everyone else had at least one keyloger lurking somewhere. So, since we have keylogers running wild on these machines, there is already no password security to speak off.
So in the end I just aknowledge the fact that all the stuff going on here has no security whatsoever, and move on. At least the data we deal with is not super-confidencial not it is all that interesting. And we do not need to answer to any security controll entity. So unless someone is particularly interested in the latest audit of the company "X" we are to obscure to really become a target.

I know - this is really a horrible thing to say, but there is no way I'm stirring so much trouble and make my users hate me with passion just to bring up our password security up a notch. Unless we have a good reason, the boss wont even hear of any security related projects which will waste time of the guys in field, and generally introduce so much hassle and confusion.

So since I'm not a BOFH I'll just keep things the way they were. And if people complain, I will be more than willing to fix these things somehow...


  • At Tue Oct 19, 10:56:00 PM, Blogger A. Student said…

    The problem with one-password-for-all is that it means 80% of your customers know the password of 80% of your other customers without even *needing* to hack into your computer.

    Would it work to use a one-algorithm-for-all technique instead: eg, "Your password is the first four letters of your first name followed by the last three digits of your phone number"? Still not perfect, but slightly less easy to hack.

    For a strong password, I generally choose a couple/few words that have some significance to me, and change one or two of the words to numbers along the a=1, b=2, etc system. Or you could use the phone abc=2, etc system.


Post a Comment

Links to this post:

Create a Link

<< Home