Technology: Passwords in Progress


Technology: Our resident tech guy Colin Moors delves into the murky world of passwords. Hate them or ignore them, you can’t love them. This month, I shall be taking a look at those little words we all love to hate and what we can expect for our passwords in progress.

We’re all painfully aware that when you create a password, you need to supply a capital letter, a number or two, have at least one special (non-alphanumeric) character and it needs to be at least 9 characters, leaving you with a hard-to-remember combination such as Gl4d!4tor? It turns out that’s some of the worst advice in the world. The man who is ultimately responsible for the directive issued by the US National Institute of Standards and Technology (NIST), one Bill Burr, has gone on record as having deeply regretted forcing this on us.

Burr, who is now 72 and probably just trying to enjoy retirement, wrote the snappily titled NIST Special Publication 800- 63 Appendix A in 2003. This directive was pretty soon adopted by most organizations, providing the backdrop for the nightmare everyone has nowadays trying to craft something both unique and memorable. He’s on record as saying “much of what I did, I now regret”, also admitting that he based a lot of his research on a white paper from the 1980s, way before we had anything like a public internet. “In the end”, Burr said, “[the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree”.

The real issue with these kinds of password is that they are – surprisingly – relatively easy to crack, leaving your site or system less secure, not more. Why would this be? Simply put, it’s a question of pure number-crunching. Hackers will most often use what is known as a brute force attack, using their computer or a network of computers to try to guess your password. The main issue with using a plain word like the non-encrypted ‘Gladiator’ in the example above makes it a cinch to crack. “Aha”, you may think, “I’ll just use some special characters or numbers in the place of letters.” Good thinking, except for the fact that any
hacker worth his or her salt also knows you do that and will have adjusted their
hacking programs accordingly. Yes, it’ll take them a little longer but they aren’t going anywhere.

The answer to this too simple/too hard to remember quandary is surprisingly easy. Use more words. If we look at the computing power available today, and the complexity of the password, research has shown that our ‘Gl4d!4tor’ example would take somewhere around three days to guess – not to mention the trouble you may have remembering it. On the other hand, the password ‘gladiatoromnibuslighthousechop’ or any combination of four words of a decent length written as a single phrase would take around 550 years, given the possible permutations. You can more easily remember four seemingly random words than a complicated set of squiggles, so your data are safer. None of this protects you completely from attack but the idea is to make it complicated for them and easy for you.