Generating secure passwords
One corporate blogger at Symantec recently wrote about the useless passwords that people use (with various lists placing “password”) at or close to the top of the list. His source contained some dubious claims (e.g. it claimed that one of the top passwords across Europe is “monkey”… maybe that is the case for English speaking Europeans but it’s unlikely to be the case in French, German, Spanish, Italian, Portugese, Greek, etc., etc.) but his point is valid – systems that require a password require one for a reason – usually to protect either the data contained in the system, or the reputation/identity of the person to which access is being granted or the company who operates the system.
As a concept, the idea of a username and accompanying password is flawed – ideally we would be using another form of identification and authentication – and that should use multiple factors (something I have/know/am) but in amongst the nearly 2 hours of drivel that was last week’s MacBreak Weekly podcast (note to self: drop this subscription from iTunes) was a little gem about generating new secure passwords. The panel was advocating the use of a utility such as OnePass to generate and manage passwords when one of them said he does something similar from the command line: Unix/Linux and Mac users can type
openssl rand -base64 6 to generate a secure 8 character password (the number on the end of the command needs to be multiplied by 4 thirds to get the length of password – more details of using OpenSSL to generate secure passwords are available at the tech-recipes website).
One man who knows an awful lot about security, Steve Gibson, has produced a secure online password generator but the 64-character passwords it generates are a bit extreme for most purposes – and “secure” passwords of any length create their own problem – they are totally unmemorable, so most users will resort to using some form of password safe (either online or offline), reducing the security considerably.
Then there’s the issue of password policy – some sites will limit the length of a password whilst others will require the use of special characters.
At work, I use a variety of corporate systems, some of which respect my Active Directory logon, and others (timesheeting, more timesheeting, mobile phone billing, self-service HR portal) which do not – each with it’s own password policy for password length, complexity, re-use and expiry. Then there are the hundreds of websites that I use and which require registration. It’s a usability nightmare – and many people will use the same passwords repeatedly – an identity thief’s dream.
I prefer to use a memorable passphrase, which is typically longer than a password and although it may include dictionary words they do not make up the entire password. For example, if my password needs to be changed and something is happening at that time that might be memorable I could use that – “2008HolidayinFrance” is memorable, easy to type and whilst it includes dictionary words it’s also 19 characters long so spotting the dictionary word placement might take a while for a password cracker.
Of course, there is no one answer – what works for me might not work for you. What I’m pretty certain of though is that “password” is not a good password and that re-using the same password (or variations on it) is not a good idea either.