Monday, January 02, 2006

Password Security BS

Of all the stupid BS... Every few months I need to set a new password on one of the dozen systems that require me to memorize a password. And this new password requires not just a seven-digit alphanumeric code, now I have to add a symbol to it as well. 'Cause you know...if I did the normal 7 digit password, hackers would know there's only 62 possibilities at 7 positions.

And then (if they knew for sure that I used the minimum number of characters) there's only 3,522,000,000,000 potential passwords... and that's way too easy to hack? I believe the system is set up to only allow 3 password failures and then you're locked out for 30 minutes. So an automated program would be able to crack my password within 67 million years.

Or if you want a different way of looking at it, guessing a random password on a single try is roughly the same as hitting the lotto in twice in a row with only 5 tickets for each.

Here's a thought. Hackers aren't getting in because the search space is too small. They're getting in because people choose passwords that are guessable, or on lists of known passwords. So let's define the problem. It's not that the currently available passwords are insufficiently diverse, it's that people are chosing foolish passwords. The logical solution? Don't have people choose. I'd rather the system admins just assign a random 5 digit sequence than go through this assinine game with stupid new rules every few months. Yeah, I might have to write it down somewhere, and it probably makes more work for the administrators (cause everyone will forget passwords). While 5 digits is less secure than 7 (dropping the search time to only 17,000 years in the above scenario) you're probably safe if you reassign new passwords every decade or so...

Anyway this "fix" is just a silly band-aid. People will still choose bad passwords, and sooner or later these new passwords will show up on password lists. So the users have changed passwords from "chocolate" or "ch0c0late" to "ch0c0late$". Consider me not impressed. And mildly irked.

0 Comments:

Post a Comment

<< Home