Improve your Security #1: Complex passwords aren’t always better

This article is the first one from a series of technical advices how to improve your IT security at home and at work.

To be honest, I hate passwords and PINs. Those of you who have more than one email address, account or bank card, know exactly what I mean. To make things worse, these days it seems we need a password everywhere, recently also on credit cards in order to make more secure payments online. These passwords are so complex that it is complicated to remember them. Of course, you are not one of those who use one password for all accounts. This is a very bad practice, because if someone gets your password, can potentially track your username across many websites and impersonate you.

But let’s be realistic and leave our feeling aside: Passwords are usually the first line of defense against unauthorized access. Often – when encryption with keys is not used – the only one. They protect your own personal information. If a password also provides you access to company’s intranet, then this is also the key to the entire company’s network.

This article doesn’t intend to be a guide to make better passwords. There are plenty of resources on the Internet (just search for “guide to make good passwords”). The scope of this article is to raise conscience on some practices which many network administrators use to create secure passwords which, sometimes, users can’t even change. I am talking about something like this:

“Cz~>Iah]-_zH7s>Spha)”

This is a highly secure password! 20 random characters, small and capital letters, special signs. This is a perfect password from a security point of view. But can you remember it? Can it be remembered by someone? I doubt this very much.

So what’s the solution to be able to use this password? It depends on where the password has to be used.

1. To login on a computer.

No matter how absurd it seems to have such a complex password, I am sure that similar passwords are used in the world. Maybe not 20 characters, but the memory of normal person can’t really remember such complex random passwords bigger than 6-8 characters. And even that only with a lot of repetition. So, what will people do to use such a complex password?

They will obviously write it down and keep it at hand. Actually, as far as I could research, in some places the administrators give the passwords written on a paper so that the user can have it always at hand.

What are the risks of such a practice?

Obviously, anyone can read it, make a copy of it and use it without your knowledge. This can lead to data leakage, compromised network security and many other dreadful things for a security administrator.

2. To login to a service (like email, website, etc.)

In this case, the situation is not as bad as with the first case, but nevertheless, the password has to be kept somewhere in the computer in written form. If the website is not secured, then the browser will usually offer to remember it, but if it is secured, then you have to enter it every time you want to login.

If you want to login to that service from another computer or place then you have to physically carry the password with you. Either you write it on a piece of paper as in the first case, or save it on a removable media. So, the possibilities are quite reduced in this case – to a USB stick or to a Smartphone. What’s the risk here? Removable media can be lost or stolen. The same applies to a piece of paper. Because usually many passwords are required, they are written together with the address where the service is. So, you’ve shown the door and handed the key to a complete stranger.

What’s the solution?

There is only one solution for this kind of problems. Make these complex passwords one-time passwords and force the user to change it upon first login. Make also sure that you enforce the usage of strong passwords on the server side. Ideally, let all passwords expire just for the case that an employee leaves the company and his account expires. This also helps to mitigate the danger of having users who do write down their passwords despite the fact that they were able to set it as they want.

Sorin Mustaca
Data Security Expert