Giant Book Sale

Article Tools

Use the form below to share this article via email.

Your name:

Your email:

To email:

Message:

Possibly Related:

Complex passwords a necessary annoyance

6 comments
Text size
By Mike Carr/Daily Lobo guest columnist | New Mexico Daily Lobo
Last updated: 02/09/10 3:17pm

“I hate passwords!”
“I hate changing my passwords!”

“Yahoo doesn’t make me change my passwords! Why do I have to change my UNM password?”
I despise having to use and change passwords, too. Unfortunately, not all computer systems are equipped with retinal scanners, voice recognition and fingerprint readers nor can everyone afford these identity authentication gadgets. So, like you, I have several different user IDs (aka login IDs) and passwords. Some passwords I change periodically; others I do not.

It’d be nice if computer systems could sense who you are and be able to tell if “you” are really “you,” but unfortunately most systems aren’t that sophisticated, yet. Alas, we may be stuck with passwords for a while.

“My bank doesn’t make me change my password.” While financial institutions like Wells Fargo and Bank of America may not make you change your online banking password, in the past year or so, many large banks have actually toughened up their online authentication processes. For example, Bank of America now requires customers to answer a security question in addition to supplying a password and confirming a picture.

“But my UNM online stuff isn’t as important as my money. I’m an adult. Let me decide when to change my password.”

For most students, that’s probably what UNM IT is going to recommend. However, some students do have access to more than just their own UNM accounts and courseware.
These students may very well have to change their UNM password more frequently. Such an approach is referred to as “risk-based” and “role-based” security. It’s an environment in which password complexity and password-change requirements are determined by who you are, what you have access to and what the impact and risk is to getting your NetID and password hacked.

“In the meantime, why do I have to pick different passwords than ones I’ve used before, and why do the passwords themselves have to be all gobbledy-gook with pounds signs and stuff like that?”

Studies have shown that more than 40 percent of all individually chosen passwords are readily guessed by someone who knows the account’s owner. When left to their own devices, most people will use the same password for many different applications. This is very risky: A hacker or “friend” may be able to get into many of your accounts after only figuring out your password once.

Believe it or not, the most popular passwords used on Web sites like Facebook, Hotmail and Yahoo include “123456,” “iloveyou,” “password” and “qwerty” (which are the first 6 letters on the top left row of many keyboards). And, while no password is un-crackable, the general rule of thumb is “the longer, the better.”

There are several other cute phrases that are often used to help remind us of how to treat passwords: “Passwords are like toothbrushes: Don’t share yours with others.”
“Passwords are like socks: you should change them often.” But nothing beats a very long and very complex password. Unfortunately, many computer systems (including some at UNM) do not permit very long and very complex passwords. In those cases, make your password as long and as complex as you can. To see how strong your passwords are, test their strength on a Microsoft Web site, such as www.microsoft.com/protect/fraud/passwords/checker.aspx.

Things could be worse. Some security experts recommend that passwords should be randomly generated and then given to people to use. But don’t worry. UNM won’t be moving to randomly-generated passwords, and things really will get better here at UNM.
As everyone becomes more aware of the risks of using the same, simple passwords and decides to create and use longer and more complex pass-phrases or one-time passwords, stringent password requirements may no longer be needed.

P.S. It’s probably not good for you to use your NetID or UNM e-mail address for Yahoo, MySpace or Facebook. More on that in a later column. If you have questions about computer security or have ideas for future topics, feel free to contact me at mcarr@unm.edu.

Mike Carr is the UNM Director of IT Security & Quality Assurance.

Published February 9, 2010 in Columns, Opinion

Follow us

6 comments

Frank Bradshaw

February 10, 2010 at 7:22 AM
Flag this comment

Mike, thank you for this column. I am a UNM alum from the early 90’s and have been a Info. Sec. consultant and expert for the last 15 years.
I’m currently working on a product that will virtually make passwords a thing of the past. Until this launches, people aren’t aware of the damage that disclosure of even their UNM password can bring. What if your PayPal account is tied to your unm.edu email? If someone gains access to that email, they can see you use PayPal, go to PayPal and say you’ve lost your password, they will reset it and bingo, the “intruder” now has access to your bank account indirectly.
So I am in the camp of ‘there is no such thing as an insignificant account/password’. Keep up the good fight and like you, feel free to reach out to me. The product I am creating will have significant impact on the high secure systems (banking, insurance, government and university systems) and the low systems (FaceBook, MySpace, yahoo, google, etc).

Thanks, Good Luck and GO LOBOS!!!
Everyone’s a Lobo, Woof Woof Woof!!!

BC

February 10, 2010 at 7:46 AM
Flag this comment

Having a secure password is an important part of guarding your identity and should be taken seriously. However, changing passwords frequently is a questionable practice since this leads to poor security practices like writing your password down and leaving it where others can find it (like under the keyboard, or posted to the monitor). In todays electronic world most of us have a dozen or more accounts between banking, social networking, email accounts, business accounts, and juggling an array of passwords is daunting, start changing those passwords too often and the result is poor password protection strategies. Having a very secure password that you can remember and do not ever share with anyone is essential, but changing it often can lead to insecure practices.

David Wilson

February 10, 2010 at 8:44 AM
Flag this comment

Having a strong password makes it harder to crack. What does frequently changing a strong password do in improving security? Nothing. It actually weakens security, because users will write down their password, or use the weakest possible option.

If someone with a lot of computer power were to start trying to crack my password, it would take a lot longer than six months for them to work through the possibilities using a brute force attack; and if the password contains a mixture of character sets, disallows dictionary words, and is of a reasonable length, then you should not need to force users to change their passwords unless they have reason to believe another person has access to them. I would hope IT is using software to monitor and disrupt prolonged brute force hack attempts long before that six month period expires.

Read more …

What you DO need to do is enforce standards across all departments in the University; and you need to lock accounts for a period (say 15 minutes) after several failed authentication attempts. This makes brute force attacks useless against a strong password. (Locking accounts permanently is not a solution – that just invites a DOS attack).

Given that most of us only have our UNM account for a few years, appropriate design of authentication, password format and other policies should make it unnecessary for us to have to change our passwords at all. Forcing frequent password changes is more a quick and dirty fix for poor systems design than it is a benefit to students.

Alexandre R.

February 10, 2010 at 11:44 AM
Flag this comment

It is really annoying to have to change a password. By default unm requires a good password, with characters and numbers mixed in.

The problem with changing the password is simple,
1. One needs to come up with a new password
2. One needs to remember the new password (Fact, those will bad memory will have to write it down)
3. One will have trouble logging (by typing the old pass instead of the new one) for some time.

Read more …

This also disallows a person to have one master password for everything. Surely, a master password is risky – if it is not kept private, kept complex, and ‘respected’ by the user.

regina

February 10, 2010 at 4:59 PM
Flag this comment

David has it right. There’s NO evidence that frequently changing a GOOD password enhances security. And, as was pointed out, it simply increases the likelihood that folks will write it down. Or make it LESS secure but more memorable…or a pattern of the same password with an alternating number. How is this more safe? It’s not.

Ed Carter

February 11, 2010 at 2:27 AM
Flag this comment

Whilst I completely agree that remembering complex password is a challenge, there are a number of tools out there that can help. I don’t advocate the use of password vaults that have a ‘master’ password (i.e. one password for ALL your passwords – sounds risky) there are alternatives.

I personally use Deadbolt Password Generator for my passwords. It gives me a secure password based on a passphrase and PIN that I can remember easily. It is an extra hassle, but not nearly as annoying as having to remember passwords directly.

Read more …

http://www.deadboltpasswordgenerator.com/

Comments are closed for this item.