Tuesday, March 16, 2010

Password Security

I have a new web hosting service on one of my web sites that insists that I use a password that they call STRONG. They forced me to change my existing password, and won't accept my ideas for a new password without passing their meter for STRONG passwords.

It irritates me that they think they know better than I, a 25-year computer industry veteran, what makes a good password. They are, in fact, wrong about that. I know better than they do.

First of all, there are really only three ways that your password can be "cracked":
  1. you are an idiot and post your password somewhere it can be read
  2. intuitive guessing by someone who knows something about you
  3. automated, algorithmic guessing by a hacker's computer
Let's assume that 1 won't happen.

Making a password safe against intuitive guessing is a very good idea. Don't use your pet's name, your name spelled backwards, or anything like that. There is a lot to say about this kind of password thinking, but let's just say this: the hacker's computer is not intuitive. That is, they can't really apply a lot of these tests to see if your password is good, like "hmmm, that is the name of Glenn's cat, spelled backward." I don't have a cat. Their computer doesn't know that. A hacker might know that, because they read your blog. Be very careful about what you think people don't know about you, because they just might. My old admin from many years ago, who embezzled from my company, had a cat named Soonie. I bet she didn't know that I knew that.

So assuming you are clever about avoiding intuitive guessing, this leaves essentially only the automated cracking approach. The idea here is that somebody writes a password cracking program that will repeatedly try, for example, all the words in the dictionary, spelled forwards and backwards and with random capitalization, to hack into your account.

Let's look at that for a moment. First of all, no way. I defy anyone to prove that anyone has ever had their account compromised like this. Most computers, and sites, in fact, only allow a few incorrect passwords before suspending your account and not even letting you guess your own password.

That's why everybody puts their elaborate, crack-proof passwords into a Word document, prints it out, and puts it on the wall of their cubicles, because if you forget your own STRONG password that some web site made you choose, you can't get into your own bank account!

But back to the main thread. Let's assume that your site does not have a limit on incorrect attempts, or an "exponential time decay", which is a better way to do the same thing (it allows more guessing, but waits for longer and longer intervals in between each incorrect guess). These techniques completely eliminate algorithmic password guessing, right? So why would you also insist that your users make a ridiculous password? My point exactly.

But there's more. The hosting service in question (okay, I'll name them: bluehost.com) makes you use at least one number, at least one punctuation mark, at least one capital letter, more than 8 letters, etc. Why?

Remember the "tens place" and the "hundreds" place? If you just use digits from 0-9, then there are only ten possibilities for each digit. So a 4-digit number has 10,000 possibilities. If you include all of the ASCII character set, you have 256 possible "characters" in each location, so it's not 10*10*10*10, it's 256*256*256*256, which is 4,294,967,296 possibilities. That's a LOT, isn't it?

So why do I need at least an 8-digit password, if a 4-digit password has 4.2 billion possibilities?

And why do you insist that I use capital letters? That doesn't actually help. The possibility that I might use a capital letter, or punctuation, or a digit, is how we get to 256 possibilities for each letter. The automated guessing program doesn't know if I used capitals or not, so it has to guess them anyway. My password is not more secure just because my web site thinks that I need to use "at least one capital letter". I didn't try it, but I wonder if they also insist that I use "at least one lower-case letter". That should be equally important, if the goal is variety.

If what you're trying to do is outwit automated guessing programs, a 2-digit password might be even more secure than an 8-digit password, because the programs might not bother guessing 2-digit passwords, figuring nobody would be that stupid. If they don't try it, then they won't succeed in guessing it, right? So maybe a 2-digit password is actually more secure!

And what's totally ironic about requiring that I use at least 8 letters is that it makes the cracking much easier. They just eliminated 1.8e+19 (more than 1 quintillion, or a billion billion) perfectly good passwords that now the cracking program doesn't even have to try, because they are disallowed.

My point is that all of these "safeguards" to make your password more secure against automated guessers is, first of all, a red herring, since I don't think there are really password guessers out there trying to hack into my rightbrain.com web site, and second of all, they don't actually reduce the chances of them guessing my password correctly. The automated guesser is either going to methodically try all 4.2 billion possibilities, or it's not. If it does, it will eventually guess my password, no matter how STRONG it is. If it's not, then if I'm clever enough to keep my friends from guessing it -- it's secure!

I've had passwords on things for 30 years and nobody has guessed any of my passwords. They won't, either, unless I have to write down a "STRONG" password because there's no way I can actually remember it.

The most secure password is one that you don't have to write down, because it prevents people from just finding where you wrote it down. That's why people use their cat's names, spelled backwards. Forcing me to come up with some random sequence of improbable letters makes it much more likely that I'll write it down somewhere.

Give me a break. And let me choose my own passwords, please. You can give me feedback on what you think is "good", but don't force me to use your rules. It's not more secure, it really isn't!