Secure Passwords
Computers are increasingly getting picky about the passwords people use. Earlier I spent 10 minutes trying to change both my undergraduate computer science and computer service accounts so a friend could access them, who has now graduated (I have since put the passwords back to their normal password values). I wanted to change both passwords to "David&1" - a nice secure password, with upper/lower, symbol, numeric, 7 letters long. So I try...
Computer Science: The password must be 8 characters or more. Doh. So I change it to "HiDavid&1" and it goes through fine.
Computer Service: It would be handy to have both passwords the same, so try "HiDavid&1". Now I get told that the password must be between 6 and 8 characters long! So I remove the "Hi" and try "David&1", but woops, now the password is based on a dictionary word. So "Davd&1" it is, which goes through.
The password checking routines are getting more and more ridiculous! If I want a common password between the two systems, my password must be exactly 8 characters long. Computers have become massively powerful at cracking passwords, and as a result, humans are being asked to create and memorize more elaborate passwords. Not only this, but the diverse range of algorithms checking these passwords means that even within the university systems, one password is just not enough. It used to be the recommended practice to regularly change passwords, but given the immense effort required to do that, its hardly a realistic possibility.
My other concern is that the restrictions on passwords may actually be reducing the entropy available in passwords. When asked to randomly insert a number into a password, what percentage of people choose 1? What percentage put the number at the beginning/end? When asked to add a capital letter, how many people capitalise the first letter? When asked to pick a symbol, how many people put ! at the end? These all seem fairly possible human defaults. When combined with an exactly eight letter password, starting with a 1, followed by a capital, and ending in an exclamation mark, the search space is starting to get rather small.
Computer Science: The password must be 8 characters or more. Doh. So I change it to "HiDavid&1" and it goes through fine.
Computer Service: It would be handy to have both passwords the same, so try "HiDavid&1". Now I get told that the password must be between 6 and 8 characters long! So I remove the "Hi" and try "David&1", but woops, now the password is based on a dictionary word. So "Davd&1" it is, which goes through.
The password checking routines are getting more and more ridiculous! If I want a common password between the two systems, my password must be exactly 8 characters long. Computers have become massively powerful at cracking passwords, and as a result, humans are being asked to create and memorize more elaborate passwords. Not only this, but the diverse range of algorithms checking these passwords means that even within the university systems, one password is just not enough. It used to be the recommended practice to regularly change passwords, but given the immense effort required to do that, its hardly a realistic possibility.
My other concern is that the restrictions on passwords may actually be reducing the entropy available in passwords. When asked to randomly insert a number into a password, what percentage of people choose 1? What percentage put the number at the beginning/end? When asked to add a capital letter, how many people capitalise the first letter? When asked to pick a symbol, how many people put ! at the end? These all seem fairly possible human defaults. When combined with an exactly eight letter password, starting with a 1, followed by a capital, and ending in an exclamation mark, the search space is starting to get rather small.