xkcd has a cartoon that beautifully explains why strict password rules have brought us to a pass where it remains relatively easy for a computer to hack the password. But very difficult for people to remember them.
My company, like most large corporates, has a password policy that forces the use of numbers, large caps, special chars and minimum password length. The password expires in a month and you can’t use the last 20 (I think) passwords. The strict policy lives up to its promise. It is a unique password that I don’t use for any other service, that has enough gobbledygook in it to render it unguessable to human beings.
I also use a few financial services that are, or should be, concerned about security. Even if they weren’t, I do try to create strong passwords for them since they have my money. But its not so simple.
- My broker in the US doesn’t allow special chars
- My broker in India allows only a 7 character password (no more, no less). Strange, but true.
- My bank in the US has a strong password policy. Not as strong as my company’s but close. No expiry rules.
- My bank in India allows weak passwords but requires me to enter my password on a virtual keyboard. I guess they are more worried about keyboard loggers than the others.
Having the same password for all such services would make my life much simpler. But I can’t. Because they won’t let me.
Some security experts think that that may not be a good idea anyway. If you have the same password for many services and someone cracks one of them, they get control of all services. OK, but then isn’t that true about OpenID too?
Actually, I do have different passwords for different services. Partly because I have no choice. But even for services where I could have a common password, like the social media sites, I don’t. I have seen many people lose control of their Twitter, Facebook or email accounts because they got hacked. Scares me to death.
Which is all very nice and secure. Until it comes time to recall passwords.
The truth is that you can’t remember all these passwords. So you store them somewhere. And the moment you store them somewhere, a hacker is one password away from taking over your life.
I don’t see an easy solution to this. Long phrase passwords, as xkcd suggests, might work well because they are easy to remember but hard to hack. But no password policy implementation can detect the difference between your full name and father’s name (terrible password) and a collection of random words (great password). Maybe an OpenID type service that requires a hardware token like SecurID could offer both ease of use and high security.
Till then, there’s always post it notes.
It has got so ridiculous (esp the rules that mandate you to regularly change the passwords), that I’ve taken to writing the critical ones out on paper and no, I am not going to reveal where I store the paper:-)
Basab, how about id through biometric devices? I think that will probably be the future to resolving this multiple password redundancy. Ofcourse, we need to have more biometric reading devices built into PCs, Smartphones and the like for multiple modes of access.
– Have a max 3 passwords (you can not enter last 3)
– And then enable image based ones (“Captcha” – autogenerated) for complete login (GMail is using for ages!)
– Want to make more secure, add one more level like Sec Question, Dep. Code etc.
That should be suffice for current time (may not be in next 3/4 years). But the infrastructure has to change. Not many want to do that, so add (read just “configure”) so that 20/30 old passwords are to be remembered).And paradoxically, SSO is being talked by the same folks.
Biometric, finger prints, eye scans, voice recognition etc. are just too much complication for IT companies.
use a tool like passwordsafe
http://passwordsafe.sourceforge.net/ ; rock solid and is useful for backups as well!
Also helps in generating passwords based on different password policies.
How was authentication done in Minority Report? That seems to be the golden standard?
gave new meaning to the word “hacker”! More like “gouger” though.
Really nice article, thanks for sharing valuable information.