Passwords ain’t nothing but trouble

You may be familiar with the standard script that your IT gives you about password complexity: it must have 8 characters or more, at least one small letter, one capital, one numeric character and one special. If you are in IT, you may have even seen the Dilbert strip above and felt it hit home.

What’s with these requirements? It is the length and complexity of a password that determine how a hacker with very little information about the user can crack the password. The methods are various: For a password with just 6 characters, a “brute-force” attempt can be made using all possible combinations of six characters to match a piece of encrypted text that is known to contain one’s password. If it is longer, “dictionary attacks” are made against known common passwords or actual words as brute force rapidly loses effectiveness. So “Pa$$w0rd” is a bad password, despite it having all the requirements stated in the first line.

The problem here is that the more complex and long the password becomes, the harder it is for the user to remember. This results in the worst problem of all: The password gets written down.

I have come across many posts over the years trying to cover this topic. I recall someone recommending passphrases on the basis that length and not complexity was key to making a password unhackable. Then there is this:

And yet we have missed something crucial. All of the discussion so far was about one password. I now have more than one hundred passwords, about twenty of which I use on a weekly basis. None of these methods are even slightly usable if we have to remember such a large number of passwords.

If we try to memorise, we need to find some patterns with slight variations. If we do lose a couple of these patterns, a person who is interested in getting your information may figure out the pattern. There are some sites that we use that may store passwords very poorly, sometimes even in clear text.

I mostly gave up on memorisation a few months ago and started using a password manager. This comes with its own set of problems. If, for some reason, the password manager is unavailable when one needs to log in, login may be impossible. If someone malicious (or merely mischievous) should get access to one’s unlocked password manager, one can get locked out of all one’s accounts. If the password manager is installed locally on one device, you still need some means of remembering passwords when using other devices. If it stores information that is accessible over the internet it can be used from many devices, but may be more vulnerable to attack.

What can we do? There are people working on that very question. Biometrics is one possibility for the future. We now have mobile phones that unlock upon fingerprint and finger swipe identification and office doors that open using retinal scans. If these technologies gain wide commercial acceptance in various products that we use, they may one day allow us to log in to websites and applications as well. People have currently proven many of these technologies to be theoretically hackable, but the products will keep improving.

Plenty of smart cards are brought out all the time, but they tend to have one flaw: they can easily be lost / stolen. Technologies are now coming up that require the smart card in addition to a biometric or a simple memorisation option. For the sake of our security and convenience, I hope that passwords get replaced by something better in the next decade or two.

This essay was originally posted at my LinkedIn  page:

Leave a Reply

Your email address will not be published. Required fields are marked *