CYBEREYE—Commentary

With passwords, simplicity can equal strength

By this time, it comes as no surprise that passwords can provide lousy security. In theory, they are a great way to authenticate a user at an appropriate level of assurance with little overhead on either the user side or the back end. That might have been the case back when passwords were seldom used and remembering one was not difficult. But in an increasingly online environment in which a user can have a dozen or more passwords to keep straight and regularly rotate, it quickly becomes obvious that they do not scale well.

Most users quickly abandon the effort to keep multiple complex passwords unique or secure and instead use the same one or two passwords over and over for different purposes. On the system side, password resets are the bane of help desks. Couple those challenges with the increased computing power available for guessing or cracking passwords and it is obvious why there is so much interest in certificates, tokens, biometrics and other authentication schemes.

It seems a shame to give up on passwords when in theory they are so simple. And simplicity could be the key to keeping them viable.

In a recent blog posting, Mushegh Hakhinian, security architect at IntraLinks Inc., pointed out the paradox that very long passwords, or passphrases, can be easier to remember than shorter but more complex passwords and can provide more security. That is because a passphrase that contains 16 letters that are not case sensitive — and no numerals or special characters — can provide in the neighborhood of 10 million more possible combinations than an eight-character complex password that uses upper and lower case, numerals, and other characters.

A 12-character complex password in theory can provide more security than a simple passphrase, but remembering such a password can be difficult enough that a user weakens its security by having to write it down. There is also a tendency to use passwords for multiple accounts and change them in predictable patterns.

A disclaimer is appropriate here: Hakhinian is not a completely disinterested observer. IntraLinks makes collaboration and workflow tools that use authentication, and the company’s most recent release supports the use of longer passphrases.

But the logic is valid. The greatest strength of a complex password is that it is, at its best, complete gibberish. That is also its greatest weakness. On the other hand, a passphrase can contain enough internal logic to make it easily remembered by the user, but a 26-letter character set can give it adequate complexity.

For example, the phrase “thankgoditsfriday” is much easier to remember than a password containing $ and # among a jumble of numbers and upper- and lower-case letters. (OK, “thankgoditsfriday” might be a little too predictable, but given a minute, you can probably think up something less predictable that is equally secure and memorable to you.)

There is nothing earth-shattering here, and Hakhinian’s observations are not likely to stop work on digital signatures, biometrics, single sign-on and other solutions to the password problem. But it is a reminder that the simplest solution often is best. By lengthening and simplifying passwords into passphrases, we could probably get a lot more life out of many current authentication mechanisms without sacrificing security.

About the Author

William Jackson is a Maryland-based freelance writer.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1986, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group