Solving the password riddle

Often, all that stands in the way of illicit entry into an IT system is a user name and password. But with the former an easy guess for crackers, passwords can quickly become the only means of defence.

Though the process of assigning passwords is getting better, there is still room for improvement, experts say.

“It really varies by company, some people are doing a good job, some people are not,” said Rob Walters, director of Ottawa-based security company EWA Canada Ltd. The real issue, he added is whether companies even recognize that they have a problem.

The dilemma is that people’s memories are not their strong suit. If people could remember 25 character passwords and change them every 30 days, life for the security officer would be that much easier. But reality is not so. Also, employees are now required to remember a number of passwords, dramatically magnifying an already problematic situation.

So what can be done? The starting point is to have a strong corporate policy. But even this can be a challenge.

“We have seen organizations with relatively good policy fall down because they haven’t implemented content rules,” said David Gamey, senior consultant with IBM Security and Privacy Services in Toronto. A company thinks it has a solution by requiring employees to use a combination of numbers and letters. But without thinking about how end users would implement the requirements they end up with what Gamey calls the Joe123 password – six characters, and a combination of capital, lowercase letters and numbers. And easy as hell to crack.

“You have to have an end-to-end look of not just how you are going to [implement password policy] but also of how you are going to support the user base,” he explained.

Once a company has figured out a policy, the next step is to educate the end user. Many employees have little idea how sensitive the information is that they have. An e-mail about a project delay might seem trivial, but it could be of strategic importance to competitors. Users need to understand that having a complex password for something as common as e-mail is important.

With operating systems allowing for longer passwords, the consensus today is that users should create their own pass-phrases. These are easy to remember and essentially uncrackable, especially if they are changed every 60 days or so.

The pass-phrase is a long sentence that only the user could ever guess, and because of its originality can only be cracked by brute force attacks.

Chris Russel, senior security analyst at York University in Toronto, is a big fan of the pass-phrase, and as an administrator of thousands of accounts, including more than 50,000 for e-mail alone, he doesn’t have a lot of time to be resetting forgotten passwords.

“Just by the virtue of its length it is hard to [crack],” he said.

Take the phrase, i really like snowballs in my cereal. Though it only uses letters, and no caps, it would take even the most powerful computers an excessively long time to crack. Every one of the 30 character positions could have 26 possible entries since there is no way to know when one word starts and another ends. If only a number and capital letter were randomly added there would be effectively an infinite number of possible combinations.

But the pass phrase has its downsides too since not everyone is a great typist and with the characters blocked out on the screen they may make a few typos. A solution is to increase the number of failures before the users is locked out, since 10 or 20 random guesses by a hacker will never crack a creative pass-phrase.