Sunday, February 17, 2013

Password or 123456

Is that your idea of a secure password? Not too long ago MMSD was forced to change students' default 11111 password. Now they use short passwords with a small degree of randomness.  At the end of the day I think most students are still in a better place than many teachers. 

Many teachers are still using that basic password MMSD gave them on their hire date.  The intent of this password is temporary in nature, in that, you are given a passcode with personally identifiable security information which you know, but will shortly change to a more secure one. The danger of not changing this password is if your account is hacked not only is your password compromised but so is valuable security information that can validate your identity. 

A guy named Mark Burnett released 10,000 of the most popular passwords and the results are scary. As you can see from the word cloud password and 123456 top the list. 32,027 people use password, and over 45,000 use a serial 1,2.... number pattern of eight characters or less. That alone is roughly 20% of all passwords. 98.8% of passwords are on this top 10,000 list. (Zipped text file)

So in addition to not using security information in your password, you should stay away from any of the passwords on this list. In addition to numbers and password, you can see a lot of names in the tag cloud. In general what ones needs to look for in a password is length and randomness.

Mark Burnett uses an example of a 12 character password being 2,573 miles long to demonstrate password strength. So if a 12 character password is 2,573 miles long how far is the typical 8 character password.  You may be surprised to know its only 11 inches, but on the other hand if you increased your password to 13 characters it would reach the moon (160,000 miles).  

There is a growing consensus that secure passwords should be at minimum 12 characters in length. Many of my personal passwords exceed 30 characters in length, but I use a password manager to manage them. I use KeePass but I have heard good things about LastPass too.  The passwords created include numbers, uppercase, lowercase, and symbols and are not designed to be remembered. My Gmail password is 30 characters long so it would be impossible to remember  I have KeePass installed on all my devices. 

However, this is not the only way to approach password strength. Burnett argues that length is the most important feature in password strength, and like the popular XKCD comic, we have made passwords impossible for users to remember.  One new approach is creating password phrases that do not make grammatical sense. Words that we'd typically not see next to each other in a sentence. Burnett actually has a program that will take the guess work out of it called Pafwert. 

For example, a password could be schenkelephantspotatoes This is a 26 character password. I imagine using the earlier distance analogy we are out of the Milky Way by now. Since its a longer password (26 characters) with the randomness coming from the words selected, we can feel secure in only having lower case characters. 

As humans our memory is limited to 7+- chunks of information. The three words schenk elephants potatoes are well within that constraint and easily remembered.  We call ourselves Schenk Sharks, elephants is not typically a term we'd associate with Schenk, and potatoes are associated with neither. Peanuts or sharks would have been a poor choice because they'd form some association with the other terms.

If you are a Windows user it might be worth downloading Pafwert . It may even be a program that the District should include on its software list. Even without the program as you saw above, a secure, randomized, password can be created quite easily.