With passwords, simplicity can equal strength

By this time, it comes as no surprise that passwords can provide lousy security. In theory, they are a great way to authenticate a user at an appropriate level of assurance with little overhead on either the user side or the back end. That might have been the case back when passwords were seldom used and remembering one was not difficult. But in an increasingly online environment in which a user can have a dozen or more passwords to keep straight and regularly rotate, it quickly becomes obvious that they do not scale well.

Most users quickly abandon the effort to keep multiple complex passwords unique or secure and instead use the same one or two passwords over and over for different purposes. On the system side, password resets are the bane of help desks. Couple those challenges with the increased computing power available for guessing or cracking passwords and it is obvious why there is so much interest in certificates, tokens, biometrics and other authentication schemes.

It seems a shame to give up on passwords when in theory they are so simple. And simplicity could be the key to keeping them viable.

In a recent blog posting, Mushegh Hakhinian, security architect at IntraLinks Inc., pointed out the paradox that very long passwords, or passphrases, can be easier to remember than shorter but more complex passwords and can provide more security. That is because a passphrase that contains 16 letters that are not case sensitive — and no numerals or special characters — can provide in the neighborhood of 10 million more possible combinations than an eight-character complex password that uses upper and lower case, numerals, and other characters.

A 12-character complex password in theory can provide more security than a simple passphrase, but remembering such a password can be difficult enough that a user weakens its security by having to write it down. There is also a tendency to use passwords for multiple accounts and change them in predictable patterns.

A disclaimer is appropriate here: Hakhinian is not a completely disinterested observer. IntraLinks makes collaboration and workflow tools that use authentication, and the company’s most recent release supports the use of longer passphrases.

But the logic is valid. The greatest strength of a complex password is that it is, at its best, complete gibberish. That is also its greatest weakness. On the other hand, a passphrase can contain enough internal logic to make it easily remembered by the user, but a 26-letter character set can give it adequate complexity.

For example, the phrase “thankgoditsfriday” is much easier to remember than a password containing $ and # among a jumble of numbers and upper- and lower-case letters. (OK, “thankgoditsfriday” might be a little too predictable, but given a minute, you can probably think up something less predictable that is equally secure and memorable to you.)

There is nothing earth-shattering here, and Hakhinian’s observations are not likely to stop work on digital signatures, biometrics, single sign-on and other solutions to the password problem. But it is a reminder that the simplest solution often is best. By lengthening and simplifying passwords into passphrases, we could probably get a lot more life out of many current authentication mechanisms without sacrificing security.

About the Author

William Jackson is a Maryland-based freelance writer.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group