jump to navigation

Passwords October 5, 2013

Posted by brltkd in Security.

User authentication is an important factor in nearly every computing system. Whether it you are using an online banking system or enforcing parental controls on your home computer, there must be a reliable method to validate the user.

Probably the most common and one of the simplest methods of user authentication is requiring a unique username and password for each user. However, a number of factors affect the quality of this approach. The primary concern is the complexity of the password. Many systems enforce requirements such as the character set. For example, it may require that the password include upper and lower case letters, a number, or a punctuation character. Additionally, enforcing a minimum password length is one of the most important considerations. The number of potential passwords increases exponentially with its length so simply adding one character can significantly increase the number of possibilities. Generally, the recommended minimum password length is eight characters. Although, consider adding one additional character. This takes the number of possible passwords when just using the lower case alphabet from 200 billion to nearly 5.5 trillion. This is significantly higher when there is complexity enforced in the character set as well.

While enforcing password complexity and minimum lengths is important, it does not guard against people using personally significant information. Including items such as names of family and friends and birthdates in passwords can make the easier to guess. If the person trying to determine the password knows personal information about you, it could be used to reduce the potential password pool to a set that could easily be cracked even if it uses a large character set and length. Many systems enforce criteria that prevent you from using parts of your name or birthdate in your password to help reduce this vulnerability.

While it is important to require certain characteristic of passwords on a system, how much is too much? Requiring extremely long or complicated passwords may cause users to write the passwords on a post it note and stick it to their monitor. This counteracts the effect of the strong password, at least for local users that have physical access to the computer.

It is now common place for people to conduct business and exchange sensitive information over the internet using email systems and websites. Often, the only thing that stands between your information and a hacker is a secure username and password. Do you think this is enough? Where is the balance between usability and security?

[1] D. Harley and R. Abrams, “Keeping Secrets: Good Password Practice,” ESET, San Diego, 2009. Available: http://www.eset.com/us/resources/white-papers/EsetWP-KeepingSecrets20090814.pdf.
[2] V. Woollaston, “Think you have a strong password? Hackers crack 16-character passwords in less than an HOUR,” Daily Mail, 28 May 2013. [Online]. Available: http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html.


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: