GDT::Speaks::About Passwords

[Update::02 February 2013] This document is getting old... is something I wrote on 09 August 2003. It's almost a decade later and this document is still getting old.

[Update::15 August 2007] This document was updated for the Fall 2007 semester. Although two years have passed since its last update, the only changes required were the deletion of a couple of rotted hyperlinks.

[Update::18 September 2005] This document was updated for the Fall 2005 semester. Although biometric usage is on the increase, passwords are still the primary tool computer users use to access their computer accounts.

[Update::09 August 2003] This document is getting old, but websites and most Unix systems still use passwords to secure user accounts.

Good passwords are difficult to guess (crack).

Good passwords conform to the following guidelines.

Avoid the following when choosing a password.

About Biometrics

Biometrics is the use of human body characteristics to authenticate human-beings. Biometrics take on many forms: fingerprints, eye retinas and irises, voice patterns, facial patterns, hand measurements, walking gait and so on. One of the oldest biometric is fingerprints; while passwords can be stolen, fingerprints cannot.

Cracking Passwords

The following was obtained from Bruce Schneier's book Secrets and Lies -- Digital Security in a Networked World.

L0phtcrack is a password cracker that is optimized for Windows NT passwords. On a 450-MHz Quad Pentium II, L0phtcrack can try every alphanumeric password in 5.5 hours, every alphanumeric password with some common symbols in 45 hours, and every possible keyboard password in 480 hours.

Update: 30 December 2001

The following was obtained from EDUCause which in turn got it from the New York Times.

Users often attach a personal or sentimental context to their passwords that can be uncovered by sophisticated password-cracking dictionary programs. A survey of 1,200 CentralNic employees showed that 50 percent used passwords with a family connection, while one-third used passwords based on celebrities, fictional characters, or sports teams. About 10 percent of respondents used self-laudatory, "fantasist" passwords. Chris Wysopal, director of research and development for @stake, commented that password attacks are the most common form of assault by inside hackers. The most secure kinds of passwords include random or partly random series of numbers, symbols, and letters, but fewer than one-tenth of all users choose such sequences. Users may also be bewildered by numerous regulations, such as frequent password changes, so they use passwords that are easy to remember and often write them down for quick reference. Most people use the same passwords for multiple functions.