The Purpose of Passwords

August 19, 2006 on 8:53 pm | In Techspeak |

If my clients are any indication, most people think that the purpose of a password is one of the following:

  • a way for their consultant/system administrator to make their system harder to use,
  • an inconvenience,
  • their name,
  • their birthday
  • the word “password.”

Let me set the record straight. The purpose of a password is to keep your computer, and the information on it, secure.

Yes, passwords are somewhat inconvenient. That’s the point. A wise person once said “security and convenience are inversely proportional.” Given that, the cost of security is a little convenience. I am consistently amazed at people who resist having any passwords whatsoever on their systems because they are “hard to remember.”

Yet they somehow manage to remember scores of seemingly random 10-digit numbers. If you doubt me, ask yourself what your home phone number, work phone number, cell phone number, and significant other’s phone numbers are and tell me I’m wrong.

The purpose of a password is to also keep out viruses and worms. Many malware programs take advantage of systems with blank passwords and use these as a way to gain access to systems. These can usually be thwarted by any password.

But a cracker (or hacker, to use the more popular terminology) needs something a little tougher than that. This is why we recommend that all business computer systems have a strong password. What is a strong password? I define it as:

  • Being at least 8 characters long.
  • Consisting of a mix of upper and lower-case letters, numbers, and at least one NON-numeric, NON-alpha character, such as !@#$%^&*(). (Think “cartoon swearing”).

When I say this, most people immediately respond by saying “how are you supposed to remember that?!?” Well, despite those requirements, it does not have to be difficult. Just get a little creative. For example, “2TrainTracks!” meets the requirements. It’s longer than 8 characters, has upper-case and lower-case letters, a number, and a non-alpha character. It’s not that hard to remember two train tracks, is it? No. Just remember the two is a number, capitalize the T’s, and put an exclamation mark at the end and you’re all set. If you have trouble remembering it, use it to log on to your computer, then log off. Repeat this process five times in a row and I guarantee you’ll have the password memorized by the last logon.

Then, approximately 42 days later, you can pick a new one.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • blogmarks
  • BlogMemes
  • Reddit
  • StumbleUpon
  • Technorati
  • YahooMyWeb
  • Slashdot

1 Comment

TrackBack URI

  1. [...] The account was hacked by a brute force attack, so there’s nothing that could be done. While this is certainly possible, it is more likely that the user logged on to a machine that was somehow compromised by spyware which logged the user’s keystrokes and phoned home with them. The best thing you can do in the case of a brute force attack would be to have a strong password, which is 8+ characters long, and contains a mixture of upper case, lower case, numeric, and non-alphanumeric (think “cartoon swearing”) characters. See this post on some ideas for picking a strong password. [...]

    Pingback by Peter’s Soapbox » Basic World of Warcraft (and PC) Security Tips — January 3, 2008 #

Sorry, the comment form is closed at this time.

-->

Blogroll

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^

Bad Behavior has blocked 382 access attempts in the last 7 days.