Passwords, passphrases, and practical use.

21 August 2008

One of the most annoying things about the modern world is that pretty much everything you're likely to use these days, from your network login at work to your webmail account to your bank's website requires a username and password before you can actually do anything. Way back when this functionally didn't used to be such a big deal - people chose easy to guess passwords for their accounts and left it at that. Later on, admins discovered that crackers probably wouldn't spend hours on end guessing passwords, they'd spend a few hours writing software to do it for them (which you can find on the Net with a couple of clever web searches) and accounts would fall. They finally got with the times and required users to choose more and more complex passwords with capital as well as lowercase letters, numbers, and the odd punctuation mark, combinations which are guaranteed to not show up in the dictionary (and are probably not likely to be guessed by password crackers that can mutate dictionary words with the same odd characters). The problem is that passwords start looking more and more like line noise, and because people tend not to remember them, they wind up written down on sticky notes and left in desks and under keyboards. When they do remember their passwords, people often use the same one everywhere so they don't have to remember another string of line noisee. Many people think that their passwords need to look like line noise, when in fact they actually don't. Passwords need to be non-logical and not in the dictionary, but they also need to be easy to remember. The obvious answer to this is to use passphrases - groups of words, numbers, and symbols that are close enough to English to be easy to memorize but extremely difficult to stumble upon. It isn't terribly difficult for someone to remember a two word phrase, is it?

"diagramme delicatessen"

There. Could use some work, though. Let's say that the service this password is for doesn't accept spaces in usernames or passwords (and you can't visit the devteam to whip them with a wet noodle), so we'll replace the space with something else.

"diagramme999delicatessen"

Better. We've got two types of characters represented now, but three is really better.

"DIAgramme999delicatesSEN"

It's a bit trickier to remember, but if you remember the pattern (word, numbers, word, first three and last three letters are capitalized), you can associate it more readily with the service and username in your long term memory. You can just as easily come up with another general pattern for your passphrases:

"diagramme621delicatessen"

"^^diagramme621delicatessen$$"

"diagramme====621DELICATESSEN"

(For pity's sake, don't use these passphrases anywhere!)

Feel free to riff off of this and come up with your own schemes. The more there are, the more difficult it'll be to guess any one passphrase in the future. Try three words. Or four. Hell, try an entire sentence in your native language... you can remember a sentence with eight words in it, right?

Now that you know how to generate a good passphrase you need to apply it to more than just your Hotmail account and the network at work. Or your home computer. Or your laptop, which you carry around everywhere you go. Or any of your cryptographic software.... but I'll get to that in a later post.

Okay, so this isn't the most glamorous post I've made in a while, but it's something that a lot of people still don't pay any attention to. Passwords are what you use to authenticate who you are to a computer or a service - they're a secret that proves that you are the person who's really supposed to use that account and not someone looking to go through your mail, or worse, send mail while pretending to be you.


Creative Commons License

This work by The Doctor [412/724/301/703] is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.