The Future Of Passwords

My job makes us change passwords every mumblemumble months, and seemingly every time, there's a new policy: must use uppercase and lowercase letters. Must include letters and numbers and special characters. Must not have been used in last two password changes. Must include DNA sample and ranked order of least favorite to most favorite Beatles albums. And so forth. I hate Password Changing Day even more than I hate Daylight Savings Time, because it throws me off every time I have to enter a password, which is ten or twelve times a day, sometimes more.

This person thinks she has a better concept. What if you could have a color, or a shape, or series of shapes, as your password?

I know that the notion of forcing users to change default passwords is, for some unfathomable reason, controversial, but if a password were to be changed from default, then I should think that making a password both difficult to guess and easy to remember would be a good thing.


Where's that xkcd comic again?

I think two factor identification is under-utilitized in IT and physical security. Keep the same password, just require something biometric also. Frustration drops, identity validation goes up.

When passwords are seldom used, the user often resorts to ridiculously unsecure methods of storing them. They write it down on post-it notes or they use a dubious 'password keeper' program that really is nothing more than a cloud-based knox box.

Who knows how secure those applications really are...

For every action, there is an equal reaction.

This seems specially true with IT security. At first glance, this new concept seems great, but in the back of my mind something tells me it would be only be months until some hacker figures a way to crack that also. But, I guess we still have to at least try to keep one step ahead of the dark side of IT.

My favorite password pet peeve is the lack of uniformity among password requirers. I have places I would consider critical (where identity theft would cause serious headaches) that have somewhat lax password policies and other places that are just for fun and games with ridiculously complicated password requirements.

What freaks me out are websites that send your password by email in plain text, like, "Hi John, thanks for signing up. Remember, your password is "JohnSuperSecretPassword".

Have you ever asked them why they think its ok to do it? One time I was told that since they use Secure SMTP to send the message, and as long as I use https to read my webmail, that its encrypted the whole way. Which is about 99% accurate. Just as long as no mail relays are used, and as long as you don't mind your email provider taking a peek at it when he switches out the SMTP lock for the HTTPS one...

Ah passwords. A pet hate. xkcd nailed it.

It seems odd to have security questions or password reminders such as pet's name, first car, first school in this age of facebook where some people discuss such things openly.

I like when you can make your own combination of question and answer pair.

I usually do something like (for example): "what color is the sky"

Answer: basketball

Good luck guessing that :)

I agree, these policies are tedious and useless.

Human guessing and automated attacks against on-line systems is not so difficult to defeat with a reasonable password. This because they're slow or limited.

Attacks against hashed passwords are increasingly difficult to defeat given the incredible speed of hardware based brute force methods--which only get faster every day.

So, increasingly, what's the point of crazy password policies like these?

I'm with Brian--two key authentication is the way to go.

I have to wonder how many computers Ms. Hill uses. In my daily work and home life, I deal with at least a dozen computers regularly.

So what's the solution? An on-line password manager? That would work (maybe) for the computers that have access to the web but I also work with a system that doesn't. Multiple instances of a local password manager? OK, but shouldn't each "instance" have a separate, unique, password? I assume that's what pundits would recommend.

Biometrics would be great but how do I add a thumbprint device to my phone? Voice recognition? Would I then have to be certain no one is within hearing range when I want to check the value of my stocks or my bank balance. That's also why I hesitate to use S Voice or Voice Search on my Galaxy despite my big fingers constantly causing mis-spellings.

Besides, talking to ones phone just plain shouts "GEEK". Sort of like the people who wear bluetooth devices and talk on the phone through them everywhere. You know who you are.....

I have 110 passwords in my password keeper. Given that many different systems, no single password policy will suffice on all of them, and of course I'm not supposed to use the same password anyway, right?

I have a relatively easy to use mental algorithm that lets me pseudo hash the name of the system I'm trying to access with a common key I use for most passwords, combined with a rotating symbol and number system to support password expiration.

But like I say this is all a bit pointless given that most on-line systems limit the frequency and total number of guesses allowed. While attacks against the hash itself (which in theory is non-trivial for an attacker to get) are on the order of 100 billion guesses/second with today's hardware--making even "strong" passwords crackable.