I used to work with a guy who had a password that was over 32 characters long. I know this because he ranted to me that our enterprise policy only allowed a 32 character password and he didn't feel he should have to shorten his password due to a bad policy. Is a long password actually more secure? I don't think so, especially for the average employee.
My experience as a computer support technician is that the average employee will write down any password that he or she thinks is too complex. The Open Web Application Security Project recommends a maximum password length, stating "The longer the password, the more likely people are to enter them incorrectly for your system." Now you end up with a greater security threat from a longer password because it was written down or it interrupts work because it has to be reset.
So is a "short" password insecure? Brien Posey in a recent blog post first tested a dictionary based crack, then a brute force approach to hacking an 8 character password on a zip file on his personal computer. He used the standard rules of a mix of upper and lower case letters, special characters and numbers. While he was waiting for the software running on multiple servers to render his password, he did the math on the total number of possible combinations - 669 quadrillion possible combinations. At that point he abandoned the quest to break the password.
Creating a secure password doesn't have to be difficult. The process I recommend is to use a line from a song or poem or favorite saying. Take the first letter of each word and mix it up with a special character or letter in place of some of the letters. For example;
I need to get into this file and edit something becomes In2gitf&es
It's easy to remember, complex, not guessable or a dictionary word and easy to come up with a new one when this one expires in 90 days or so.
Oh say can you see by the dawns early light becomes 0scysbtde1
(the O becomes a zero and the L switches to a one)
This will work as long as you don't whistle the tune every time you log in!
Posey, B. (2013, August 14). How important is Password Complexity? [Web log post]. Retrieved from Redmond Magazine website: http://redmondmag.com/articles/2013/08/14/password-complexity.aspx
Open Web Application Security Project (OWASP) (2014, September 23). Password Length and Complexity. Retrieved from OWASP Website: https://owasp.org/index.php/Password_length_%26_complexity
No comments:
Post a Comment