Home Forums SQLServerCentral.com Editorials Should You Write Down Your Passwords? RE: Should You Write Down Your Passwords?

  • November 8, 2010 at 11:17 am

    #1247793

    I'm pretty sure we've talked about this before on this site. Maybe not in the exact context of whether or not to write down a password, but password policies in general. Here is my standard response on all password policies:

    I find the 90 day password expiratoin policy to be a nuisanse as well as a completely worthless and unproven "security measure". Instead you should be educating people to use more friendly, easier to type, but at the same time more mathematically secure, "password phrases". For example, I don't know what the exact password policy is here in terms of length and character usage, but let's say you enforce that a password must have at least one lower case letter, upper case letter, number, special character, and be at least seven characters long. To keep things basic, let's say that character set size comes to a total of 72 possible characters (26 + 26 + 10 + 10) (we just use the special characters above the numbers). Now for a seven character password, the total number of password permutations is only:

    72^7 = 10030613004288

    Now let's say instead you focus your efforts on educating people to use a "password phrase" instead. Naturally these are going to be longer in length, come from a smaller character set size, but be faster and easier to type as well as easier to remember. As another example, let's say a "passwor phrase" comes from the character set made up of simply lower case letters and a space. For a whopping 27 possible characters. As I said, due to their nature, a "password phrase" will almost always be longer than a regular password. In this example, all it takes is a mere 10 characters and the "password phrase", even with it's significantly reduce character set, becomes 20 times harder to hack than the seven character password.

    27^10 = 205891132094649

    I believe that if corporations got rid of their lame password restriction policies and instead focused their efforts on educating people to use "password phrases", it would reduce the tech support time that is spent on people not being able to log in or do other things simply because they forgot their password. Remember, using something like "password policy sucks" is actually faster to type for most people, easier to remember, and more mathematically secure than something like "vj74%kduj".

    SQL Server and all other applications should do what Windows does and that is delay multiple login attempts if the first three fail. That makes brute force hacking of passwords very inefficient. If the system will only let you attempt to login once every three seconds, nobody is going to waste their time with a brute force attempt.

    Finally, when it comes to having multiple passwords for multiple systems (or websites for normal people), I think that's ridiculous too. I think people should have two passwords. One for their email system and one for everything else. This is all that is necessary in most cases because if your password is compromised on one site or for whatever reason you forget it (which you shouldn't because you only have two), the typical "Reset My Password" mechanism will send an email to your email account with the changed password for that site. So a hacker could have your second password and email address, but they will not be able to get into your email account to intercept these.