3 Ways To Pick A Bad Compliant Password
Most corporate users are bombarded with guidelines and regulations on how to set good passwords. Users are forced to remember rules they don’t want to, leading to password fatigue. Administrators are given the sense that passwords are secure and users feel the same way if they’re following the rules.
People know that a password has to be 8 characters, but they really don’t know why – here are some surefire ways to be certain you (and your users) are picking weak passwords, despite length and complexity requirements.
- 1 Make It Up Yourself – Most users are going to come up with a ‘familiar base’, then add simple numbers and symbols (1 and !) to make their passwords compliant. Make good use and recommend some decent random password generators to your users.
- 2 Use Your Personal Account Passwords – Password change requirements are a good at keeping this problem under control (which is why your company should enforce them). Users using the same network password that is used for their personal email, social networking, or other less secure websites can place hidden vulnerabilities in your security architecture.
- 3 Change Your Password with Predictable Increments – Sure you have to change your password every 45 days, but do you just change all of the numbers from 111 to 222? Does Bob123! change to Bob234!?
Refer to #1, use randomly generated passwords.
It’s a good thing that machines can force password complexity and length requirements, but don’t let your users hack around them.
May 2nd, 2008 at 3:08 pm
Better to generate it yourself. Here’s some php code I use. If you want to get fancy, use openssl’s rand instead of array_rand.
$character_set = “0123456789abcdefghijklmnopqrstuwvxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-_=+[{]}\|;:,/?”;
$chars = preg_split(”//”,$character_set);
$password_length=16;
$pwd = ‘’;
for ($ii=0; $ii<$password_length; $ii++) { $pwd .= $chars[array_rand($chars)]; }
print “$pwd\n”;
May 5th, 2008 at 5:41 pm
Non-Security-Politically-Correct Rebuttal.
Pick any silly password you want. Passwords are so phenomenally useless today, as a common user you have virtually no hope against a determined attacker. In fact, given that most passwords must be used on systems you don’t control (and are likely misconfigured anyways), good passwords probably don’t even help against a non-determined attacker casting a wide net.
Picking good passwords is a major headache. You end up creating denial of service attacks against yourself. Pick passwords unlikely to be guessed by people who know you. Give up on the rest and find better ways to secure yourself. Even on your own network, there are far better ways to compromise your system than guessing your password.
Good passwords are now like putting good locks on your house. If you have vinyl siding, foam insulation, and wallboard, most attackers can literally WALK THROUGH YOUR WALLS rather than defeat your amazing door locks. The same is usually true for passwords.
April 20th, 2009 at 11:36 am
[...] All of us are terrible at remembering passwords, causing us to find convenient ways to make logging on to our Twitter, bank, and other online accounts a bit easier and much less secure. Users combat password fatigue by using the same password for all of their accounts, selecting short and weak passwords, or creating bad compliant passwords. [...]
July 15th, 2009 at 8:02 am
[...] like users can pick bad compliant passwords, you’re not as compliant as you think you are if you haven’t considered the following 3 [...]