Tough Passwords

We've had this talk before. Unfortunately we are sure to have it again. And again.

The first email that greeted me this morning started out with "what the hell is that password?!?". The word in question was a remote access password that had recently been changed because of the unexpected departure of a high level employee. It wasn't that the person asking the question hadn't been told what the new password was; he had. I could be wrong, but I had the strong impression that he just didn't like the complexity of it.

It was their new IT person who had reset this, and he had done it right: 10 characters, mixed punctuation, numbers and upper and lower case letters. It was a great password.

Too bad it didn't work.

I figured out why pretty quickly: somehow the email that gave the new password had "P:" ahead of it. Let's pretend the password was 23$Ca%Pk98. The email said:

remote access P: 23$Ca%Pk98

Because of proportional fonts in html mail, that ended up looking like

remote access P:23$Ca%Pk98

Blame Microsoft for that: before they stuck their grubby fingers in email, that couldn't have happened. But I digress.

I can understand the frustration of the user. He also said "please write what the actual password is more clearly". That's something I almost always do. For example, I'd usually say:

remote access 23$Ca%Pk98
numeral-two numeral-three dollar-sign upper-see lower-ay percent-sign upper-pee lower-kay numeral-nine numeral-eight

But that's just me, and I'm more apt to do that when writing with a pencil than with a keyboard. It wouldn't have helped here, because I had the wrong password too.

Anyway: I'm not certain this guy was complaining about the password. As it didn't work (at least as presented), he may have just been frustrated by that. After all, you leave work Friday night knowing you have some important stuff to do over the weekend and then you can't get in. Frustrating. Maybe that's all it was.

But at other times, in other places. I've had non-techy types complain about "hard passwords". They don't like hard to remember passwords, especially dislike hard to type passwords, and they whine and complain, and all too often I eventually get a polite email from top management asking me to make it "easier".

Sure. At lots of places, "abc123" is a favorite. The word "password" doesn't lag far behind. Those are wonderful passwords, very suitable for protecting systems. Oh wait, here's another great idea: take the company name and make that the password! No one would ever think to try "AcmeBrake", right? Ri-i-i-ght.

With some customers, I can't win: AcmeBrake it is, and that's that. Others reluctantly accept what I suggest or at least do something part way: "Acme2006Brake". That's a little better, I guess.

A little better.

Comments /Security/tough_passwords.html


Tue Aug 8 00:29:00 2006: Subject: Then there is this...   Sledge
I worked with a guy that advocated writing passwords down. This way, he was able to enforce a 27 character at least one number, one upper case, one lower case, one special and one extended ASCII character password (j/k but almost), people would be more accepting of the burden because they had the reference. I see the logic but something in me still says they should not be written down.



Tue Aug 8 01:14:26 2006: Subject:   TonyLawrence
Well, written down where? On a card you carry in your wallet or on a Post-It on your monitor?



Add your comments

Why no "Digg this!" etc.?

Lone-Tar Backup and Disaster Recovery
for Linux and Unix

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here