Thursday, June 4, 2015

A Dose Of Human Reality

In the world of computer security, much counts on users selecting complex passwords and avoiding using known information like their children’s names or their favorite hobby. It’s really important and we count on their active involvement.

Now, a dose of human reality.

These are the same folks that slow down to 60 mph in a 70 mph zone when they see a police car, the same folks that won’t put a new roll of toilet paper to replace the one they just finished and the same people that never make more coffee even when there’s ⅛” left in the pot.   

So now let’s head down the path of password construction, adding the human element.

In the beginning, well not really THE beginning, but since we have to start somewhere, let’s baseline with the common 8 character password, which has about 200 billion (26**8) possible, lowercase combinations. Of course there are many more when you factor in their uppercase and numerical brethren, but why add pressing the shift key or reaching for the top row when it isn't necessary.

Now, for whatever reason, real, imaginary or just job security, the powers decided that a number was needed to increase that 200 billion even higher. Now there will be nearly 3 trillion (36**8) possible combinations, clearly much better.

Now, a dose of human reality.

We replaced the 8th character with a number, so we actually reduced the actual combinations down to 80 billion ((26**7)*10), clearly a step backward. But we really appreciated that we no longer had to decide on a new password each time, we just incremented the number on the end. Thanks for the tip IT!

Well, that last one didn’t work out so well, so now the word came down from high that a capital letter and a number would both be required.  That would increase the possible combinations to over 200 trillion (62**8). Now we're really getting somewhere!

Now, a dose of human reality.

We all just capitalized the first letter, so we’re still stuck back at 80 billion.  What the heck did they think we would do? Then they tried requiring a special character, which we all put as the last character and moved the number up to position 7. Since there are fewer special characters than letters, we're now down to about 30 billion or so combinations.

Frustrated that these stupid humans just won’t get with the program, they recommend that we build a password from a phrase.  So using the last sentence as the phrase, we generate an 8 character password of “Fttshjwg”, then change the “s” to a “3” and the “j” to a “!”, resulting in the beautifully constructed password of “Ftt3h!wg”.  

Now a dose of human reality.

No. You people have lost your minds or are smoking funny things. Perhaps both.  

Then more advice. Change your password every 60 days, never use the same password across sites and never, ever write them down.

Not just no, but HELL NO! You guys are in serious need of rehab.  

So why don't we go really nuts and have Unicode passwords and we'll have umpteen jillion combinations.  Mine will be the following, made from Greek, Gaelic, Russian, French, Roman Numeral, and Latin Script, Dotless and Cedilla. And an easy phrase for me to remember.

No comments: