Go to content Go to navigation Go to search

05/02/08 11:03 AM

3 Ways To Pick A Bad Compliant Password

Posted in by Anil Polat

Most corporate users are bombarded with guidelines and regulations on how to set good passwords. Users are forced to remember rules they don’t want to, leading to password fatigue. Administrators are given the sense that passwords are secure and users feel the same way if they’re following the rules.

People know that a password has to be 8 characters, but they really don’t know why – here are some surefire ways to be certain you (and your users) are picking weak passwords, despite length and complexity requirements.

  • 1 Make It Up Yourself – Most users are going to come up with a ‘familiar base’, then add simple numbers and symbols (1 and !) to make their passwords compliant. Make good use and recommend some decent random password generators to your users.
  • 2 Use Your Personal Account Passwords – Password change requirements are a good at keeping this problem under control (which is why your company should enforce them). Users using the same network password that is used for their personal email, social networking, or other less secure websites can place hidden vulnerabilities in your security architecture.
  • 3 Change Your Password with Predictable Increments – Sure you have to change your password every 45 days, but do you just change all of the numbers from 111 to 222? Does Bob123! change to Bob234!?

Refer to #1, use randomly generated passwords.

It’s a good thing that machines can force password complexity and length requirements, but don’t let your users hack around them.

2 Comments for 3 Ways To Pick A Bad Compliant Password

Better to generate it yourself. Here’s some php code I use. If you want to get fancy, use openssl’s rand instead of array_rand.

$character_set = “0123456789abcdefghijklmnopqrstuwvxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-_=+[{]}\|;:,/?”;
$chars = preg_split(”//”,$character_set);
$password_length=16;

$pwd = ‘’;
for ($ii=0; $ii<$password_length; $ii++) { $pwd .= $chars[array_rand($chars)]; }

print “$pwd\n”;


Scott Shorter    05/02/08 11:08 AM    #

Non-Security-Politically-Correct Rebuttal.

Pick any silly password you want. Passwords are so phenomenally useless today, as a common user you have virtually no hope against a determined attacker. In fact, given that most passwords must be used on systems you don’t control (and are likely misconfigured anyways), good passwords probably don’t even help against a non-determined attacker casting a wide net.

Picking good passwords is a major headache. You end up creating denial of service attacks against yourself. Pick passwords unlikely to be guessed by people who know you. Give up on the rest and find better ways to secure yourself. Even on your own network, there are far better ways to compromise your system than guessing your password.

Good passwords are now like putting good locks on your house. If you have vinyl siding, foam insulation, and wallboard, most attackers can literally WALK THROUGH YOUR WALLS rather than defeat your amazing door locks. The same is usually true for passwords.


— Joe Shmo    05/05/08 01:41 PM    #