1 April 2014

The minefield that is password generation

Search for 'password' and 'hieroglyph' on Twitter, and some variation of this joke pops up: "Sorry, your password must contain 1 uppercase letter, a number, a punctuation symbol, a haiku and your first-born". 

It may be taking things too far, but the the joke is barely a joke these days. Everyone understands that strong passwords are a must to prevent hackers from getting hold of your account. Easy passwords such as '123456' or 'password' as your password are typically banned in the corporate world, as are passwords which consist of letters only, or numerals only. 

Despite this, the recently announced Adobe hack has turned up the most common passwords used for Adobe accounts. As reported by Online Computers and Communications, '123456' takes the top spot with 1,911,938 accounts, while 'password' comes in third. Second place was '123456789', with variations of sequential digits in 7th and 11th place as well. The thing is, weak passwords are simply easier to remember.

Software is usually satisfied with a combination of numbers together with letters in both capital and small letters. To make them memorable however, passwords are often based on personal details - I know several moms who have created email addresses combining the names of their kids and their dates of birth, for example, and it seems likely this extends to passwords. Another cop-out is to use easy-to-remember key combinations, such as numbers and letters in straight lines. Unfortunately, these are too easy for the hackers and password cracker software.

In late December 2013, Scientific American wrote about a new way to create strong passwords. Essentially, you combine unlikely images together to create bizarre sentences, such as a cat driving a car, and then use these sentences in some way so as to come up with a password: 'lolspeed80' for example. The images should theoretically stick in your mind because they are so bizarre. And since the images, sentences and passwords derived would be unique to you, such passwords would be pretty hard to guess as well - a win-win.

Unless you forget that bizarre unique password, which is possible if you don't use the password for a long time or have to re-generate new passwords too frequently. Or what if great minds think alike and a cat-lover who drives picks the same two images that you did, derives the same sentence, and generates the same password? 

That's when Microsoft's TelepathWords comes into play. Visit the site and see if the tool can guess your password. Because if it can, so can a hacker.

One way of hedging on the risk is to require passwords to be changed regularly. Two factor authentication, such as offered by CA Technologies, is another way of gaining a bit more peace of mind. I know of organisations which require a separate dongle to be connected before a login occurs; and of course Singapore banks like DBS and UOB issue tokens that generate random numbers for online logins.

Nothing can be 100% safe, but it can certainly be made safer. Does your company have some way of ensuring that passwords are hard to guess and which are protected in other ways? It's worth considering adding some form of security if not.