xkcd has a cartoon that beautifully explains why strict password rules have brought us to a pass where it remains relatively easy for a computer to hack the password. But very difficult for people to remember them.
My company, like most large corporates, has a password policy that forces the use of numbers, large caps, special chars and minimum password length. The password expires in a month and you can’t use the last 20 (I think) passwords. The strict policy lives up to its promise. It is a unique password that I don’t use for any other service, that has enough gobbledygook in it to render it unguessable to human beings.
I also use a few financial services that are, or should be, concerned about security. Even if they weren’t, I do try to create strong passwords for them since they have my money. But its not so simple.
- My broker in the US doesn’t allow special chars
- My broker in India allows only a 7 character password (no more, no less). Strange, but true.
- My bank in the US has a strong password policy. Not as strong as my company’s but close. No expiry rules.
- My bank in India allows weak passwords but requires me to enter my password on a virtual keyboard. I guess they are more worried about keyboard loggers than the others.
Having the same password for all such services would make my life much simpler. But I can’t. Because they won’t let me.
Some security experts think that that may not be a good idea anyway. If you have the same password for many services and someone cracks one of them, they get control of all services. OK, but then isn’t that true about OpenID too?
Actually, I do have different passwords for different services. Partly because I have no choice. But even for services where I could have a common password, like the social media sites, I don’t. I have seen many people lose control of their Twitter, Facebook or email accounts because they got hacked. Scares me to death.
Which is all very nice and secure. Until it comes time to recall passwords.
The truth is that you can’t remember all these passwords. So you store them somewhere. And the moment you store them somewhere, a hacker is one password away from taking over your life.
I don’t see an easy solution to this. Long phrase passwords, as xkcd suggests, might work well because they are easy to remember but hard to hack. But no password policy implementation can detect the difference between your full name and father’s name (terrible password) and a collection of random words (great password). Maybe an OpenID type service that requires a hardware token like SecurID could offer both ease of use and high security.
Till then, there’s always post it notes.