I’m building a new mail server at the moment and it will include webmail, which will be made accessible to the outside world, so that staff can check their mail from anywhere they like.
Obviously I need to make sure that the system is secure; secure passwords are usually defined as something like:
-a mixture of upper and lower case letters, numbers and some non-alphanumeric characters
-containing no dictionary words, or systematic sequences such as acronyms
-containing no sequences that could be guessed from personal knowledge of the user (such as birthday, etc)
-at least 8 characters
OK, so that means I’d be issuing folks with a password like J9w-2sB2, now that ought to be fine - I don’t personally have problems remembering a frequently-used password like that (seriously, my remote access password is secure to the above definition and 15 character long, and I never forget it), but not everyone is blessed with superhuman powers of retention and recall like me.
So they’d write it down, probably on a piece of paper along with their username and the webmail URL.
So what’s the solution? How can I give them remote access to their email, using a password system that is both sufficiently secure, and convenient at the same time?
We’ve been going over this at work. I hate the ‘mixture of different kind of symbols’ rules myself… they make ugly passwords, are hard to remember, and force people into sometimes picking passwords that are even easier to guess than otherwise. My suggestions.
Do let users pick their own password if possible. Most are pretty good at picking something that’s easy for them to remember and not that hard to guess.
Screen out obvious patterns (repeating characters, ascending sequences… containing the term ‘password’ or a few other really braindead-obvious things.) Match passwords against a ‘frequently used passwords list’ and don’t let your users pick anything that appears there. You can download those from the net.
Provide a few ‘guidelines’ about things that they shouldn’t do that the system can’t practically screen for - ie birthdays maybe.
Tell them they can write down their password, but they have to keep it in their wallets and guard it as they do their credit cards. Make them promise that if they lose the piece of paper, they will immediately change their password.
Have them think of a sentence that includes at least one proper noun and at least one number. For example:
Jack and Jill have 6 apples.
Then take the first letter/number of each of the phrase (keeping capitalization as is). In the above example it would be reduced to “JaJh6a” - which is about as secure as you’re gonna get.
Another example:
There are 88 keys on Elton’s piano = “Ta88koEp” = which is a massive password, yet memorable because of the phrase.
I shall be using this. You should file for a patent. This could change the life of this computer engineering major, in a way that a Wendy’s Frosty never could. Although those guys would say, “It’s a good idea, AND a mnemonic. It’s a goo-monic!”
Oooh, this password thing really gets me. I used to work in an office where various places I might need to go each had a different sign-in procedure and password, and there were 7 or 8 of them. To make things worse, some of them had certain naming conventions (must be 8 characters and contain at least 2 but no more than 4 numbers) (cannot be any other password now or ever applied by this user) and to make it all yet still worse, most of them had to be changed at regular intervals–60 days, 90 days–and you couldn’t just switch back and forth between two or three of them.
So what everybody did was write down a list of these passwords and tape it to their computer. I mean, who wouldn’t? Most people (including me) were subtle enough about it not to write down the specific application that went to the password–I guess most of us could remember that. But not all of us! (I occasionally blew it, particularly on seldom-accessed applications.)
Finally the IT people saw the light. Rather than harangue us about our laxity they changed the system so we now only need, at most, 3 separate passwords. Ah. Much better. And 2 out of the 3 are changed only at the discretion of the user. The other one, alas, is still every 60 days. Doctor Who’s solution is really good.
Set checkers, but allow people to choose and change their own passwords. If you can, make the system force them to change it the first time they log in (so, the “initial password” can be 123 for everybody, but the “real” password is set by the user). That’s what we do in SAP.
Checkers should include any locations for your company. I’ve been looking over the shoulder of end-users while they changed the password and they were all pretty startled when I said “I love you, dear, but will you please not use ‘pamplona’?” * OHMYGODHOWDIDYOUKNOW! Well, at the speed you peck, and being in Pamplona and all, it wasn’t hard to see…
This is not considered unprofessional in Spain, if your delivery is properly deadpan.
There are a number of theories as to what is the best way to manage passwords. I’ve never understood this idea that you have to change your passwords on a regular basis. If you use the same one over and over again it can be longer than the typical one and you can learn to bang it out pretty quickly on a keyboard. There would be no reason to write it down, either. Make it more than 10 characters and multi case. Use a phrase like, “She sells sea shells”. How long does it take to type that vs. something like ‘J42Z3#mr’? Yet the easy one has 20 characters while the ‘secure’ one has only 8.
At work I use a base password that is 7 characters long and multicase and then add an additional 3 numbers to reflect the date. They make us change it every 45 days.
So, I only ever change the date at the end of it. If I had my choice, I’d make it longer and never change it. With the security polices we have in effect here it is not very likely that someone will get a keylogger on their computer that isn’t caught before it can do something.
I use the mnemonic sometimes, but a geometric pattern works well too. Look at how you type these:
BBgt5%
)OKMnji9
45TRfgBV #Edcvfr4
And when you have to change the password, you can just move the starting key one to the left or right or ??? It just becomes a sequence of shift keys and patterns so that you pretty much only need to remember the starting point.
It looks as though I won’t have the option to allow or compel users to change or set their own passwords; the machine I’m setting up is going to be running SME Server (an excellent self-installing, self-configuring open-source small business server, with a web configuration GUI, based on Linux). User authentication is system-wide; if I gave them the opportinuty to change their password for webmail (which looks like it isn’t even an option anyway), they would find that everything else had stopped working when they return to the office - their desktop mail client would be unable to retrieve mails, their access to shared network drives etc.
I tend to use stuff like 99#balloon and 50lovely$$.
Easy to recall and has alphas, numbers and symbols. I hate upper and lower case though. Plus I think they dislike have a real word in it but I don’t care.
I’ll do something like “Apples4Dinner” or whatever. You could make a password generator pretty easily that would:
Have a list of verbs and a list of nouns
Use both lists to determine the first word, and only the noun list for the second
Joins the two words with one of 2, 4, @, or &
Will either use lowercase, capitalise the first letter of the first word, capitalise the first letter of both words, or capitalise all letters of both words
So if you have:
Nouns:
apples
cats
bears
dogs
yoda
fishing
lolipops
Such things are supposedly prone to ‘dictionary attack’, but to be honest, how long is it going to take for an attacking program to get around to trying ‘tapdance&lolipops’ - given that there is a (currently 3 seconds, but configurable) timeout on failed password attempts.
Just take the cover a novel, or some box, or something aelse you have and use the first letter from each column. It’s easy and almost random. After a while you’ll remember it fine.
I wonder about the geometric thing. I bet some dictionaries have some of those.
We have to change our passwords at work every 30 days, use a mix of letters, caps and symbols and must be 8 characters (minimum long). I use a variation of “Shithead”. like “Sh1thead!” and when I get that annoying change password it becomes “Sh1thead@” then “Sh1thead#” ad nauseum. It’s easy enough to remember and if I forget for some reason i just have to do a couple of variations before I have the current one.
Also, if I write something down, it’s in a personal code mix of Chinese, pinyin and English using some things only i am familiar with…
It’s only a problem for a dictionary attack if you don’t have some sort of lockdown system in place. I.e. for each username, you track the number of incorrect password entries. If that gets to 100, you lock the account and it has to be unlocked by an admin. (And of course you reset to 0 every time they enter the correct password.) If you don’t have that, a fhN9023JD@’’ type password is just as vulnerable really, it’s just a question of time.
And with two lists of each 1000 entries you’ve got a possibility of…
1000 * 1000 * 2 = 2,000,000 combinations of the lists
4 joiners = 8,000,000
4 capitalisations = 32,000,000
So they have a 1 in 320,000 chance of getting it before the lock comes up. And of course there’s a lot more than 1000 nouns out there.
If the number of possible passwords is sufficient large, whether the lock is at 5 or 100 makes no statistical difference in terms of safety. As such you may as well make it large enough that it will only ever lock if it is an attack.
If you haven’t used your password for a year and don’t remember which capitalisation scheme was used, that already takes off four tries. All of a sudden to realise that your password was changed a month before the last time you used the service…
Really, (and the guys at RSA agree) you are best to set it no lower than 50. Lower and you’re just potentially wasting admin time and for no useful reason than because you have to type an extra 0 after the 5 in the password checking code.