as far as

Jul 10 2010

Consumerist's password strategy and its limitations

The strategy outlined in this article (linked in the title) is somewhat similar to what I’ve done. But, the article’s method doesn’t provide good security against social hacking: password theft from shoulder-surfing, inside access, keystroke logging, etc. Even if a scheme like this article’s is used, a savvy degenerate might deduce all of your passwords from discovering one and almost certainly deduce all from discovering two. If I found your Facebook and Twitter passwords to be 1Facdrat and 1Twidrat, I have a damn good guess on your Google and eBay passwords.  I suggest devising a password pattern which calculates letters and numbers out of the brands themselves, so , so you need only remember the pattern. A pattern that looks like real words or acronyms might further obscure the presence of a pattern.

8 appears to be today’s magic number - I’ve experienced minimums as high as 8 and maximums as low as 8.  One day, more systems will accomodate 100+ character passwords, making whole sentences more sensible than weird patterns like this.  Of course, by then we might be logging into more systems via biometrics.

Further, mandatory password changes are a wasteful anachronism from years ago. The time an average computer would require to cycle through a brute-force password discovery attack used to be measured in weeks - hence a 30-day password reset period was a reasonable measure. Now that comprehensive brute-force attacks can be run in the span of a few minutes to a few days, and that more systems have back-end safeguards against brute-force password discovery, password expiration policy has become a liability. It’s quite common for people (who have to regularly change their passwords) to write them down nearby (!!!), rotate between two very simple passwords, or forget their new password and request a reset (almost inevitably setting the original password back up).

I would still suggest password changes every so often - perhaps every year on new years (you’re just sitting at home anyway). The security concern isn’t attack by brute force, but someone who might’ve written one down or harvested your password and simply hasn’t used yet (or hasn’t yet been discovered using it).  However, these changes should come at a pace that you can comfortably absorb. A pattern that’s sufficiently obscure and sophisticated can accommodate a periodic password change securely with only a small amount of inconvenience.

Finally, I’m skeptical of password storage systems - they appear to represent a point at which a single failure can compromise your entire online presence.

To recap, I think a good password pattern should be:

  1. Easy to remember and easy to type! If it’s not quick, simple, and comfortable to follow, you’ll likely compromise its security.
  2. Incorporating upper case, lower case, numbers, and symbols. Be prepared to use additional letters for systems that don’t accept symbols.
  3. Structured based on the brand, but *not* in an easily-recognizable pattern.
  4. Have a built-in structure for periodic password changes (mandated or spontaneous).
  5. 8 characters. Again, there’s a small sweet-spot between the minimum and maximum password lengths permitted by various identities.

Here is a sample password strategy, somewhat similar to what I use now:

  • Characters 1 and 7: The number of password changes since inception, starting at an arbitrary number for the first password in this pattern.  In this sample pattern, I’m going to start all passwords at 11 (as in this year +1, minus 2000 of course) and increment up by 1, but reversed so the 5th password change will be 61 and the 10th password change will be 12. Most likely, you’ll only change a password a small handful of times; making the first digit the iteration change (usually) will hopefully make changes easier to remember.
  • Characters 2 and 4: Using the first consonant and first vowel in the brand, take the first following consonant and first following non-Y vowel: such as h and u based off of the G and O in google, such as c and e based off of the B and A in ebay.  If a brand is missing consonants, vowels, or enough letters, do the best you can with what’s present.  Examples: AAA.com might use b and e, SS.org might use t and u, X.com (remember the old PayPal name?) might use y and a.
  • Characters 3 and 8: i and !.  Now your password feels like shouting!  Use an additional i at the end for systems that don’t accomodate symbols.
  • Characters 5 and 6: the letters SH, capitalized.  This will make for some funny-looking passwords - along with the exclamation point you’ll feel like a Japanese sorcerer when logging in.

example passwords with the new pattern:

  • google - 1hiuSH1!
  • twitter - 1vioSH1!
  • facebook - 1gieSH1!
  • my last workplace, with periodic password changes - 3qiiSH2!
Comments (View)
blog comments powered by Disqus
Page 1 of 1