As I am shutting down my mostly inactive blog, I'll start my guest blogging career by reposting the few blog posts I made there. Here goes...
Well, that was funny! At least I thought so back in 1998, when I first saw that Dilbert strip. Like many others, I thought that there was no way we would ever subject ourselves to such a complex and draconian password policy. Little did we know then, that 11 years later, the brutal reality is that we wish our password policies were that simple.
What's a good password, anyway?
Someone said: A good password must be impossible to remember and must never be written down.
As admirable as that goal may be, it's also slightly impractical. If we had the chance, we'd all have blank passwords on our accounts, or at least a statistically significant portion of us would. All kinds of people, heavily armed with anecdotal evidence and equipped with fatally flawed logic, have set out to create policies that dictate the complexity of our passwords, no doubt to protect us from ourselves.
Lately, a colleague of mine, who is passionately interested in all things password related, has been exposing me to plethora of different password policies, and the resulting passwords. Here are a few of the more common rules found in those policies:
The Password must be 8 characters or longer (in some very rare cases, the number is 15).
Okay, that kinda makes sense. The longer the password, the harder it is to brute force. Except on Windows, where it's just as easy to crack a 14 character password as it is to crack a 7 character password, but not a 15 character password. Because that's monumentally more difficult to crack, except when it isn't: The previously mentioned colleague of mine cracked my 38 character password in 2 days flat. If your dictionary is big enough, you can crack anything.
The Password must contain a mix of lower and upper case characters, and digits or special characters.
Again, kinda makes sense, or at least it used to before somebody mainstreamed hybrid dictionary attacks, which was what, 10 years ago?
The Passwords must not be (or contain) the user id or the real name of the user.
Well, this one actually does make sense in a Duh! kinda way. It's right up there with password must not be blank. Which of course no one in their right mind would do. Or would they?
The password must be changed every 3 months, and must not match a previous password.
Again, sorta makes sense, but the thing is (and I'll be talking some more about this in a later blog post) that people seem to love patterns. If you enforce periodic changes like that, along with restrictive rules about password length, format and content, you'll inevitably end up with passwords like Spring09, Summer09, Autumn09, and so on. Care to guess what the next password will be?
So far, so good?
In actuality, all the previous rules are technically possible to implement, and it's also possible to measure the compliance level. But it never ends there. As the brainstorming session drags on, and coffee and do-nut deprivation sets in (they ran out hours ago), somebody's bound to go "man, we've only got a 3 line password policy, there must be more we can put in there to make it look like we've actually done something!"
And this is when rules like these start showing up (notice how they're always at the end of the policy, never at the beginning):
The password should not be a word written backwards.
You know, I've never actually seen a password containing a word written backwards. Does that mean the rule works, or perhaps that nobody ever did that to begin with?
The password should not contain personal information that can be related to the user, such as name, social security number or phone number.
Hi! I am Mordac, the preventer of information services. Please enter all the personal information you can think of into this database, so that we can check against it every time you change your password. Oh, and keep it up to date forever.
The password should not be found in a dictionary.
Uhm, quick question: Which dictionary is that? The Merriam-Webster English Dictionary? Cassell's Dictionary of Norse Myth & Legend? The Oracle Data Dictionary? Or perhaps this 53 million word dictionary I just found on the internet? Actually, that last one wouldn't be such a bad idea...
A password should not be a common combination of characters, a word or a common combination of words found in dictionaries, or that is commonly used in a spoken language, regardless of language.
Yes. You read that correctly. Not only would they have you check all the worlds dictionaries, but also all the worlds spoken languages. Did I mention that there are nearly 7000 spoken languages in the world? There's some extra special kind of craziness going on with that rule. So, where does one find such a glorious example of an impossible-to-implement-or-verify policy? Why, in a governmental guideline for password creation, of course.
Suddenly, Mordac, the preventer of information services, doesn't look like such a bad guy.
In the end, I guess my question is: do these more or less ridiculous policies really help create more secure passwords?
To be continued...