Password policy of our time?

by Dmitry Kirsanov 3. November 2011 22:18

PasswordWhen I began studying computers in beginning of 90s, I adopted the password policy of that time, which stated that passwords should be at least 8 symbols long and be complex, meaning that there shall be a number, uppercase and lower case symbols, and would be nice if there would also be a special character.

With Windows NT 4 we had addition to that rule, which was rarely used in practice, that the password should be longer than 14 symbols, as otherwise it could be hacked in a matter of seconds.

Windows has additional rules in corporate environment, but all of them are basically about the length, complexity and maximal age of the password. However, while you can enforce that in corporate network, most people are far from understanding the underlying idea of password policy, can’t estimate the cost of weak password, and overall they are ready to adopt the policy only if it will be reasonable enough.

So I decided to create such policy for myself, and take a look what I came up with:

At the time this article is written, I have 359 passwords for various internet and local resources. This includes e-mail boxes, websites, administrative resources, and other. I don’t know any of these passwords, as they are complex and random. I store them using password manager ( free and open source Password Safe, but any other will do, if it’s written by good professionals. In this case it’s author was Bruce Schneier) and having good measures to keep the database of passwords secure.

Some of these passwords are for websites that do not exists anymore, but I just didn’t remove the password from the database as I did not visit the website for years. However, some passwords are extremely precious and I am using them many times per day without ever seeing them. Program also reminds me to change password when it “expires”, so I would not forget to change them.

The price of the password

The reason why these passwords are so “precious” is because many passwords are playing the role of single key to multiple doors. And it’s not because I want them to be, but simply because website owners decided that it would be hard to convince me to register and that it is more “user friendly” to just accept ID from another system, be it Google or Microsoft LiveID. So now my password to Gmail also opens Google+, Google Checkout, Adsense, Analytics, YouTube and perhaps hundreds more websites where I am not even registered.

The password of Microsoft LiveID opens Hotmail, MSDN, TechNet and a lot of resources that you probably haven’t ever heard about but which provide resources and knowledge both about me and important to me.

So, hacking these keys would have dramatic effect on me, and the same situation is with millions of other users.

But most users are using one and the same password for at least half of visited websites. Even though these websites are not connected.

So, if I own a nice website and offer you to “register for free”, I may try to use the password you’ve provided to open your e-mail box. There is a 50% chance to succeed.

Some people think that they have nothing to hide. Sure. Until someone opens your Facebook and posts nasty things about your friends, or use it as the platform to attack your friends and gather information from them. Or opens your e-mail and starts sending child porn from your e-mail address. The latter case of identity theft could get you jailed. Still, you will have nothing to hide.

The Policy

So, once you are convinced that password should be protected, and since you have no policy yet, what is the best principle to create your password? Here it goes.

  1. The length of your password should be at least 9 characters. That’s the base minimum. Add one character per each additional service / site it opens. For example, Google password opens not only Gmail, but also Google+, so we add another symbol. If you are using AdSense – further increase the length.
    Do not use constant length for all passwords. That is – there should be no principle that all of your passwords are exactly 9 symbols long. Some may be 10, 11 or longer. But there shall be no pattern. If you are generating password using the Password Safe or similar software – add or replace any random symbol after generation.
  2. The content of password should be random. Don’t invent it by concatenation of your birthday and name of your fiancée. Just click “Generate”. Then either memorize or store it in password manager.
  3. The life of the password should depend from use of that password. Estimate how many times it will be used – either automatically or manually. Allow it to live for one year of use. That is – if you are using that password every day, even if it is stored in your e-mail client which is using it automatically, let the password live for one year, then change it. If you are using it once per week – let it live 2 years. If you are using it even less – increase password’s life for up to 3 years, but then change it.
    This will allow you to evaluate your footprints in the internet. If in 3 years your password manager will notify you to change your password on the website you hardly remember, maybe it’s good idea to delete your profile at that website? You can’t imagine how even the most innocent information about you helps in creating of your profile / portrait.
    So, the life of the password should not exceed 3 years.

Resume

The habit of using password managers has another good impact. As you read time after time – websites are losing the databases of their clients. And it appears that web developers who were writing these websites were not doing their best. For example, they stored your password in clear text instead of hashing it. When you are using unique password for each website where you have a profile, you don’t risk much to compromise other profiles, unless we are talking about the password to your e-mail.

Password security is a cornerstone of digital security and should be taught before you get your first password. So make sure you are using the password policy and preferably teach your children as well.

blog comments powered by Disqus