CYBEREYE—Commentary

With passwords, simplicity can equal strength

By this time, it comes as no surprise that passwords can provide lousy security. In theory, they are a great way to authenticate a user at an appropriate level of assurance with little overhead on either the user side or the back end. That might have been the case back when passwords were seldom used and remembering one was not difficult. But in an increasingly online environment in which a user can have a dozen or more passwords to keep straight and regularly rotate, it quickly becomes obvious that they do not scale well.

Most users quickly abandon the effort to keep multiple complex passwords unique or secure and instead use the same one or two passwords over and over for different purposes. On the system side, password resets are the bane of help desks. Couple those challenges with the increased computing power available for guessing or cracking passwords and it is obvious why there is so much interest in certificates, tokens, biometrics and other authentication schemes.

It seems a shame to give up on passwords when in theory they are so simple. And simplicity could be the key to keeping them viable.

In a recent blog posting, Mushegh Hakhinian, security architect at IntraLinks Inc., pointed out the paradox that very long passwords, or passphrases, can be easier to remember than shorter but more complex passwords and can provide more security. That is because a passphrase that contains 16 letters that are not case sensitive — and no numerals or special characters — can provide in the neighborhood of 10 million more possible combinations than an eight-character complex password that uses upper and lower case, numerals, and other characters.

A 12-character complex password in theory can provide more security than a simple passphrase, but remembering such a password can be difficult enough that a user weakens its security by having to write it down. There is also a tendency to use passwords for multiple accounts and change them in predictable patterns.

A disclaimer is appropriate here: Hakhinian is not a completely disinterested observer. IntraLinks makes collaboration and workflow tools that use authentication, and the company’s most recent release supports the use of longer passphrases.

But the logic is valid. The greatest strength of a complex password is that it is, at its best, complete gibberish. That is also its greatest weakness. On the other hand, a passphrase can contain enough internal logic to make it easily remembered by the user, but a 26-letter character set can give it adequate complexity.

For example, the phrase “thankgoditsfriday” is much easier to remember than a password containing $ and # among a jumble of numbers and upper- and lower-case letters. (OK, “thankgoditsfriday” might be a little too predictable, but given a minute, you can probably think up something less predictable that is equally secure and memorable to you.)

There is nothing earth-shattering here, and Hakhinian’s observations are not likely to stop work on digital signatures, biometrics, single sign-on and other solutions to the password problem. But it is a reminder that the simplest solution often is best. By lengthening and simplifying passwords into passphrases, we could probably get a lot more life out of many current authentication mechanisms without sacrificing security.

About the Author

William Jackson is a Maryland-based freelance writer.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group