More and more, lately, websites (or other entities; where I work, for example) have been dictating to me how they want my password to be formatted. Namely, I am being forced to be sure that I include at least one number. I’m really getting annoyed with this.
First off, it doesn’t actually make your account, information, etc. (hereafter referred to as account) that much more secure. Let’s take a look at the math: Assuming a six character minimum password, and using only letter, and ignoring case, that gives us 308,915,776 possible passwords. If you add in numbers, that gives you 2,176,782,336. Granted, that is seven times the amount of possible passwords, but if someone is willing to take the time to brute force their way through an alphabetical password, they are going to be willing to spend seven times that amount of time. Actually, they can rule out 308,915,776 of those possibilities, thanks to the policies being set in place.
Secondly, it is forcing me to create a password that is harder to remember than ones that I come up with. Sure, you can make initialisms, and be kind of creative. For instance, I could remember “4tggog” by the Iron Maiden song “For the Greater Good of God”, but I don’t want to have to think about my password. I want to be able to type my password as if I were typing my name. What if someone is watching me? I’m poking at each letter individually instead of just typing it out.
Also, I believe that this is meant to keep people from using a password that other people know, so that it is more secure. How many passwords are just a familiar password with the number ‘1′ at the end. If your password is “bridge”, and it doesn’t work, then I’m just going to try “bridge1″. It is upsetting how often this is the case.
Let’s take a look at ING. Their passwords are actually PIN numbers. They don’t have any ridiculous password rules. Just four digits. Just 10,000 possible passwords. That falls extremely short of the 2,176,782,336 passwords I would use at another website. They get around it by asking you two security questions that you are supposed to be the only that knows the answer to. I get around answering the questions by telling ING to remember me at that computer. So, all I have to remember is 4 digits, and I can get into the one website I really just don’t want anyone to have access to.
Instead of any of that, though. I would prefer if I was just forced to have something more like a passphrase. How about instead of forcing particular characters on me, instead forcing a required length on me. Even if it is ten characters, and assuming just letters, That increases my possible passwords to 1.41 x 10^14 (looks like I don’t feel like taking the time to figure out superscripts yet) possible passwords. The longer you make that passphrase, the more secure it will be. In fact, instead of requiring at least one number, the password would be more secure by adding one to the minimum password length.
The benefit to the passphrase is that you can make it extremely memorable to you, but extremely difficult to crack. “rememberthealamo”, for instance will be more secure than “rmbralm0″. Even if someone really loved the Alamo, I doubt “rememberthealamo” would be on the top of my list of passwords to guess.
I can’t wait until I don’t have to care about any of this, and we just use biometrics!
