I was recently confronted with a new password policy: my password needed to be a combination of 8 to 12 characters with only numbers and letters. And the numbers were not allowed to be at the beginning or end. My solution was a combination of a standard word with my zip code. But I am not convinced that it is a good password. I will not be able to remember it easily, as it differs from all my other password.
The more you work with computers, the more passwords you generate. I have to remember so many passwords that I use a program to store most of them. It is not the best option but I can only remember so much.
People who invent password policies need to understand their responsibilities. They should focus on the goal instead of the means: when security is a real issue, you should not rely on a password. Logging in with a password is a weak security measure. Because passwords are easily shared, people tend to share their accounts. If you are a naive system administrator you will try to prevent this with ‘soft security’: They forbid it (well, that’s a winner!) or try extreme password policies with short password lifetimes and difficult schemes. And as this increases people are less likely to maintain strong passwords, let alone remember them. So they start writing them down. This actually simplifies an attack.
Let me be clear: It is good to fight weak passwords, like dates, plain words which appear in a dictionary or phone numbers. But you need to support people in creating a good password which they should be able to remember. This means that you should minimize the requirements and make sure they can use it for a longer period of time.
A typical strong password is a ‘all the first letters of a personal favorite song’. So ‘Fmttmalmpats’ is a pretty strong password; it consists of the letters of one of my favorite songs ‘Fly me to the moon and let me play among the stars’. (I particularly like the version by Frank Sinatra). And when I start using ‘phonetic substitution’ it turns into an extremely strong password by most standards: I use ‘2’ instead of ‘to’ (same pronunciation) and ‘**’ instead of ‘stars’. I also submit ‘and’ by an ampersand (‘&’). So my super strong passwords becomes: Fm2tm&lmpat**. Trust me, this a safe password by almost any standard. Unfortunately it doesn’t fit most policies.
Some other ideas for substitution are SMS-language (CU for ‘see you’ or BRB for ‘(I’ll) be right back’), chemistry (H2O for water, so waterbed becomes H2Obed or FE for iron, so FEy is irony) or number/phonetic substitution (4 for ‘for’, 2 for ‘to’ etc). And of course l33t, popular by scriptkiddies, which substitutes a 3 for and E (mirrored) and a zero for an O etc.
The purpose of a password is to enable people to login, so they are authenticated and authorized. Logging in is a method of showing who you are (authentication), so the system knows what you are allowed to do or see (authorization). Only you can transfer money from your bank account.
If this authentication really matters, like when accessing your bank account, you need to be certain that there are no mistakes. The simplest solution is something called a token: a chip card like on your bankcard, usually combined with a PIN code. This token is so strong, that it needs an extremely weak password of only a couple of numbers only!
Some tokens are considered even stronger, because you cannot loose them: biometric tokens, like fingerprints and retinal scans, are among the strongest tokens we know. The reading equipment is often considered weaker than the token itself and only in movies people loose an eye or finger to the villains.
So if you are responsible for password policies, perhaps it is time to consider tokens instead of passwords. You give people a chip card and a PIN code and allow them only access to the building and the workstation with this combination. This is called perimeter security and when enforced properly, you can work with pretty normal password policies on the inside the perimeter, without compromising security too much. And if you are doing it properly you let people use this pass for everything: going to the toilet and getting a cup of coffee should also require you to bring your badge, so you automatically lock your workstation every time you take a break.
All modern computer systems support token-authorization. And token-reading keyboards are not any more expensive than a normal keyboard. Even the chip cards aren’t that expensive anymore.
Security is a risk analysis, usually between cost and image. If the image is more important than you should not let security be left to chance, like when someone is writing down passwords. The weakest link is, again, the human being. Or, as I read somewhere, the biggest security risk is an open mouth. Make yourself dependant on something more controllable.