Creating chaos from order
People are lazy, intellectually as well as physically; they just aren't looking to make more work for themselves. If you let them pick passwords, they will pick sloppy and easy to guess ones; their phone number, wife or spouse or pets names, birthdays or something easy that they won't forget. The problem is with about 5 minutes of research a hacker, or someone pretending to be one, can usually get in; at that point there might as well not be a password at all. Then because people are lazy, they use the same password many places so if someone gets their password, they can follow them around the Internet and get into many things as them. Not good.
People can be taught, even when sometimes they don't want to learn; they aren't stupid, just ignorant (on these issues). It takes more time to teach them and educate them than to just force them. Rather than do the hard or correct thing of educating people on proper passwording, some IT geniuses (note: extreme sarcasm), decided that they would just make dictatorial mandates to force them and improve security, or so they think; the problem is that if you don't pay attention to human nature, and how people will react, it just makes things worse.
The most common solution is of IT to create their own passwords that are harder or impossible to guess (or to remember), or to make rules about passwords like requiring mixed numbers and letters of 8 characters, and often they rotate or expire passwords regularly and require users not to use the same passwords in a row. While these sound like a good fixes to the problem, they actually create as many new problems as they fix.
When you rotate passwords, you make people remember and relearn passwords. You not only waste their time on that, but the added support costs when they forget, and they will forget, creates costs that often outweigh the security risks. Rules about password formats often limit the variety of passwords and make them easier to get. Length isn't as important in passwords as how a password is picked; a 4 character password can be far harder to get into than an 8 or 10 character one, depending on how the password is generated, so making it longer doesn't help much by itself; making it better is what counts. And forcing a number in a password usually means that instead of someone having to guess a password like "wifesname" it is now the almost as easy to guess "wifesname1" or "1wifesname"; again people are lazy, and requiring them to mix in a number just means they'll stuff one or two at the start or end.
So none of these solutions has really helped security much. Most hacks aren't brute-forcing passwords; trying every possibility until they get in. That is easy to protect against without changing password formats; the solution is after every failed attempts in a row just wait 1 second x the number of failures. Even trying all two digit passwords would take an impossibly long time. What they've done is make it a little harder to brute force (added possibilities), when most hacks aren't doing that, there are easier and better protections for that, and the real problems lie elsewhere.
Any system that makes passwords too complex, as in any of the above, means that users now need to write down their passwords, and keep that list handy, so that they can get to them when they forget; which will be fairly regularly. So what the security people have done is made it a little harder for the clueless hackers to just randomly guess or brute force try all the passwords; but not much harder. And the cost is that you've made it much easier for anyone with a clue to find the passwords on or in that persons desk or notebook, in a file on their computer or PDA, or the ever popular post-it note next to or on their computers monitor. And remember, that most break-ins and electronic vandalism or espionage (like to the order of 90%+) are inside jobs, and done by people inside a company, or that at least know the victim. So at best you've made it a little harder for 10%, in order to make it much easier for the 90%; the result is a loss of security.
Again, the real solution is education and training.
How not to...
How to pick your passwords? Here are some things not to do:
- Do not use an English (or other) language word as your password. If someone is watching and can see you type a few letters, they can often guess the password if it is a word. If hackers do brute force attack (try all passwords), they are usually going to do it with a dictionary attack: that means trying every word in a dictionary first; since most passwords are an English word or name, and that reduces the possibilities by an order of magnitude or more. So a couple small words are better than one large one, and misspelled words or mixed letters are better than real words.
- Do not use names, or numbers of things that people can guess. This should be a no-brainer. The first thing people are going to try is your family members or your favorite hobby/sport/activity or terms or people related to them. Next will be your phone number, social security number, and so on. And even mother's maiden name is pretty easy to guess or figure out.
- Do not pick your password because it is easy to type: a common ones are the same letter like "zzzz", or a few keys in a row like "1234", "qwer", "adsf" or "zxcv". While quick to type, any nimrod within eyeshot or even earshot can figure out what your password is.
- Do not use the same password everywhere! Different places you go have different levels of security. So I want a different password to get into my bank accounts and on-line trading sites than I use for work or the local website/chat-forum that could be run by exactly the kind of person you do NOT want to have your password. You don't want it so that if they compromise you one place, they have you everywhere!
Now there are many others that people sometimes tell you. Mix the case so it is UpPpEr and LoWeR case. While that's a little harder to guess/get, it is also annoying to type, and you're going to make more mistakes; and some places support it and some don't, so it generally isn't worth it. And some say mix numbers in or not, and that helps a little, but it doesn't matter as much as just picking a good password; so let's just focus on the real problem and pick better passwords.
So what are the clues to picking a good password?
Create a solution for your passwords that you will remember, but that others can't get even if they see you type the password, and if they get one, that they'll never guess all your other passwords with. An example: the first letter of each word of a song, nursery rhyme or poem that is related to the site/subject at hand.
For a government or political site you might use "Now is the time for all good men to come to the aid of their country". Now that's a little long to type, but steal the first letter of each word for the first few words, and you get "nittfagm". You aren't likely to forget that, and your brain can recreate it and has something to associate it to. So it is both easier to remember, and much harder to guess. Even if someone knew one of your passwords, and somehow deduced the theme for it, they can't guess that your stock portfolio or banking password might be "iiwarm" from fiddler on the roofs, "If I were a rich man...", or "tmltmsll" for your personals website password from the Fleetwood Macs song, "tell me lies, tell me sweet little lies". Of course when typing the password, try not to type it in using the rhythm of the song; that's known as a "tell" by giving away what you're doing.
A friend (John Welch) was telling me about his system that he recommends, which is roughly the same concept of creating his own algorithm/system for passwords. He'll take a number that people wouldn't necessarily get easily; like a phone number he had a couple houses ago, a relatives birthday, license plate on a car that he's sold, or old visa/mastercard account (that he'll remember forever); which is pretty safe to begin with. Then he takes that a step further. Pick a pattern that you use from that, like every other number for some passwords, reverse order for others, or a 1-3-2-4 pattern, and so on. Instant security. If someone sees me typing 92653589 they aren't going to figure out that I was using the 6 - 13th digits of Pi; but since I remember that number to the 100th digit I'll never forget my password, and have quite a few possibilities for passwords to draw on. And if I were to scramble it, even as simple as 98535629 (backwards), or 03764690 (+1 to each digit), there is no way they're ever going to figure it out. Once I use it a few times, it'll be memorized and quick to type, but it is much easier to remember the system I'm using for my passwords than it is to remember most passwords themselves. And if I remember the system, I can always recreate it or remember from its parts.
As mentioned above, don't use the same password everywhere. And while it isn't a good idea, you're probably safe if you use the same password only on equally trusted sites; so my Bank, Visa Account, Stock information are all highly trusted sites, with similar information; so they fit a theme. I could use the same password, and probably be fine. Better still is if I stick with one song or poem or theme and just use different stanzas or patterns, I'll remember the loose idea of the password (theme), so I can always recreate it and figure it out. And even if I do use the same password, at least if I group them by risk, I'm sort of layering my security threats.
So if you don't keep separate passwords for everything at least group them and keep a few. And make sure that work and home passwords are separate. Different types of attacks come to both threats; and these two worlds should never collide. Never use that same password somewhere where others could get it and use it against you (cross boundaries); and too many people monitor work networks for them to be safe, and most home computers are insecure (without firewalls and the like) and so people that manage to get into your home computer shouldn't then have access to everything you have at work, or vise versa.
Hopefully, this gives you some ideas about how to be smarter with passwords and security. If you pick a passwording system that makes sense to you, and passwords that have some relevance to the subject; then you'll have an easier time remembering your passwords. And that means you won't have to write that down and compromise yourself (or others).
You don't want to write your passwords down these are the keys to your world and each time you write it down, you're making and handing out copies of those keys. If you do, then they have to be secure (physically) - you shouldn't leave your keys hanging out of your pocket when walking through seedy neighborhoods, so you should leave your digital keys in seedy e-neighborhoods or where others can get them. Encrypt your password files with software and one master password, and it is better to only write down hints or scramble/encode the passwords yourself, so that people that find the paper won't know what they mean, or what they go to and can't just try them to get them to work.
These systems can be quite simple and common sense to you; but since other don't think like you, and don't have a frame or reference to start guessing from, it is damn near impossible for them. So if you're going to be lazy, at least be smart about it. If you follow these suggestions you'll be behaving far safer and smarter than most.