open letter to MS and sysadmins re: passwords
Dear Microsoft and systems administrators,
The common practice of forcing people to change their passwords periodically makes them less secure, not more secure. Please stop it.
This is the most unresearched, and insecure tactic for network security ever. Forcing the password to be significantly different from the last password is even worse. The reason is simple: People can’t remember all these fucking passwords and their variations, so they WRITE THEM DOWN. If they are at least a little savvy, they store them in an email draft to themselves for easy, but password protected, access, but mostly, they put it on a scrap of paper that will be easy to find. The first place would-be office “hackers” look for passwords? Sticky notes on computer monitors. 60% of the time, that works every time. The other 40% of the time, it’s on a little scrap of paper in the drawer or under a keyboard.
I don’t know who started this myth, or propagates it, but Google has never once asked me to change a password. What do they know that you don’t? A lot obviously. I use a good, secure, safe password on all my accounts. On most of them it is the SAME password. I can type it without thinking. I don’t forget it. It has never been hacked.
Enforcing good password standards does make sense and is proven to make them more secure. Include a capital letter, a number, and a special character. Great. Helpful. Important. (I did have a network that enforced a 6 character LIMIT on passwords. That means you can’t have more than 6 characters. How fucking dumb is that!? Enforcing standards to make the password weaker…)
The bottom line is really, really simple. Stop making people change their passwords. You are weakening your security and making our lives more difficult.
Sincerely,
~chris
(A guy who’s network password keeps oscillating between Fuck7hi5 and yOuRaD!ck)
[...] The other day, Revathy and I were talking about her persistent issues with her computer and password authentication and then today I stumbled upon Chris’s entry on his blog. (Chris is in IT.) [...]
The latest wrinkle in attacking passwords is rainbow tables- it doesn’t matter how complicated your password is if it’s too short, because they’ve precalculated all of the possible combinations ahead of time. Current tables cover all of the possible 5 character combinations and most of the 6 character permutations. While it’s expensive and time consuming to generate a dictionary, Moore’s law means it gets half as expensive and time consuming every 18 months- and the dictionary maker only has to calculate it once.
Changing your password frequently is absolutely no defense against this (or any other) attack unless you have a scheme like secureID which changes your password every second.
The only real defense is a long password; an 18 character plain english sentence is far more secure these days than a five character string of perl line noise.