A quick note on Passwords.

I was having a discussion with my father over the phone this morning attempting to help him along with a problem he was having with his e-mail. We sorted the problem out and he asked how he could go about changing his password. I tried explaining it to him but it was easier for me to just do it so I asked him what his current password was and what he wanted his new password to be. His current password, he relayed to me, was "aaaaaaaa".... 8 a's because he has to use at least 8 characters. It would take a dictionary about a second to crack that password, presumably on it's 8th attempt assuming that the wordlist/dictionary being used started at "a" or "A" instead of "0". In either case it wouldn't take that long at all.

So this made me think, what does a strong password mean? By some definitions it means "having an entropy of 128 bits or more" which means  that the password generation scheme which you used may generate at least 2¹²⁸ other distinct passwords.  So we are not talking about 8 or 10 characters, rather 20 completely random characters, or a list of 10 randomly chosen "common words". My personal passwords are usually 12-16 characters made up of symbols, numbers and letters in an order that makes sense to me, or for sites I access a lot and don't require a stronger password I use a passphrase. It is easier to remember "thisISaBLOGentry123456" or whatever (obviously that one is easy, it's just an example) than a clusterfuck of symbols, letters and numbers which mean nothing to you. These random character generates can sometimes make things worse off especially if you want other people, such as workers, to use this these random generated passwords, with for example 16 characters, spitting out something like "6Iuh%jkl00aS2HHt". I can almost promise you that your employee will either write that down on a post-it note and stick it somewhere in there office/cubicle/whatever or keep a note of it somewhere like their wallet or purse. The great random, 16 character password you thought was so secure just became pointless.

Just my thought for the morning.