[ news_security_news ]
Tough Passwords
A.P. Lawrence
Contributing Writer
2006-08-07
 Insider Reports RSS Feed
We've had this talk before. Unfortunately we are sure to have it again. And again.
The first email that greeted me this morning started out with "what the hell is that password?!?". The word in question was a remote access password that had recently been changed because of the unexpected departure of a high level employee. It wasn't that the person asking the question hadn't been told what the new password was; he had. I could be wrong, but I had the strong impression that he just didn't like the complexity of it.
It was their new IT person who had reset this, and he had done it right: 10 characters, mixed punctuation, numbers and upper and lower case letters. It was a great password.
Too bad it didn't work.
I figured out why pretty quickly: somehow the email that gave the new password had "P:" ahead of it. Let's pretend the password was 23$Ca%Pk98. The email said:
remote access P: 23$Ca%Pk98
Because of proportional fonts in html mail, that ended up looking like
remote access P:23$Ca%Pk98
Blame Microsoft for that: before they stuck their grubby fingers in email, that couldn't have happened. But I digress.
I can understand the frustration of the user. He also said "please write what the actual password is more clearly". That's something I almost always do. For example, I'd usually say:
remote access 23$Ca%Pk98
numeral-two numeral-three dollar-sign upper-see lower-ay percent-sign upper-pee lower-kay numeral-nine numeral-eight
But that's just me, and I'm more apt to do that when writing with a pencil than with a keyboard. It wouldn't have helped here, because I had the wrong password too.
Anyway: I'm not certain this guy was complaining about the password. As it didn't work (at least as presented), he may have just been frustrated by that. After all, you leave work Friday night knowing you have some important stuff to do over the weekend and then you can't get in. Frustrating. Maybe that's all it was.
But at other times, in other places. I've had non-techy types complain about "hard passwords". They don't like hard to remember passwords, especially dislike hard to type passwords, and they whine and complain, and all too often I eventually get a polite email from top management asking me to make it "easier".
Sure. At lots of places, "abc123" is a favorite. The word "password" doesn't lag far behind. Those are wonderful passwords, very suitable for protecting systems. Oh wait, here's another great idea: take the company name and make that the password! No one would ever think to try "AcmeBrake", right? Ri-i-i-ght.
With some customers, I can't win: AcmeBrake it is, and that's that. Others reluctantly accept what I suggest or at least do something part way: "Acme2006Brake". That's a little better, I guess.
A little better.
*Originally published at APLawrence.com
Add to  Del.icio.us |  Digg |  Yahoo! My Web |  Furl
Get all the updates in RSS: 
About the Author:
A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
