Managing strong passwords: You got a better idea?

Show your colleagues how to avoid password mistakes

Our recent article that listed some real-world bad passwords provoked a flurry of comments on the virtue of complex credentials vs. the difficulty of remembering them without writing them down, as the experts all say is important.

So we're launching a contest. In the comments below, give us your best tips for creating and remembering strong passwords – without writing them down. The GCN editors will judge and the person who submits the best tip will win a prize. (Really!). We'll take entries for one week, ending on Monday, May 24.

The article detailed a security firm's analysis of several million passwords that a hacker had stolen from a Web site. The analysis showed that nearly half of the passwords were exactly the kind security experts say you should never use: sequential numbers, dictionary words and even the word "password."

Bruce Falk noted the other extreme: Policies that require excessively complicated and frequently changed passwords.

"This article fails to account for the disconnect between online security and practical human frailty," Falk wrote. "Yes, these passwords represent rock stupidity, but so do policies and infrastructures which require multiple log-in identifications and passwords, entry of certain arbitrary characters (e.g., caps/lower case mixtures or alphanumeric mixes with symbols), and which then insist on frequent (less than 24 mos.) changes to same."

Such requirements can actually undermine security, Falk added, because they encourage users to "select least-common-denominator IDs or passwords (which are easy to remember), to rely on cookies or workstation keystroke recall, and/or to maintain easily located files or hard-copy cheat sheets with the necessary access information."

What's needed, he said, are password policies that take into account both the need for hard-to-guess passwords and human limitations for memorizing complex strings. "If we could identify a workable middle-ground, we could stop laughing at inadvertent or foolhardy security policy abusers and likely increase genuine security (as opposed to security theater)," Falk wrote.

Not everyone agreed. James Reeves, responding directly to Falk's comments, wrote: "By insisting on upper and lower case, numbers and special characters, we increase exponentially the number of random guesses that an automated process must go through to discover a password. At the same time we eliminate the possibility of common words, simple sequences of numbers or letters, and so forth. The rules about 'strong' passwords are sound."

Carl Andersen then addressed Reeves and Falk, partially agreeing with both, bot not fully endorsing either.

"I have some sites that require password every 60 days, others every 90 days and some that never require a change!" Andersen wrote. "In addition, some sites will not accept certain symbols, such as hyphens, while others accept hyphens but not underscores! Finally, some applications will not let users select their own passwords, but instead create passwords using a random collection of letters, numbers, and symbols. It is this lack of uniformity that makes it so difficult and annoying to maintain security. It is impossible for me to not keep a cheat sheet when I have over 20 work related applications/web sites for which I need to maintain current passwords – with different schedules and rules."

About the Author

Technology journalist Michael Hardy is a former FCW editor.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.