Everyone knows that security is important. I’ve talked before about DenyHosts, which watches for attempts to brute-force your SSH passwords and blocks them.
I could probably live fairly happily without DenyHosts, since my passwords aren’t going to be caught by a brute-force attack based on dictionary words and while every password is vulnerable to a brute-force attack across the total possible search space, most of the time the bad guys won’t dedicate that much time – they’ll try a dictionary-based attack, and go and find someone more vulnerable.
So life is great, and we all use passwords like ‘
Even if I could remember that, which I couldn’t, I’d be mad to expect my users to be happy with that kind of password policy. If my users were my employees, then I might not care about their happiness – but they’re my customers, and if they get unhappy they might leave and then I’ll have really secure passwords protecting an empty server.
In my day job, where the users are also customers, I’ve come across some of the worst passwords imaginable, including ‘
password‘. Mostly, these passwords are useless unless you’re already inside someone’s local network and most people take better care with their remote-access passwords, but slips can happen and a poorly chosen password can be a weak spot that lets an attack onto a trust machine, and from there you can lose your entire network.
Finding a method of producing secure passwords which users can remember is absolutely vital. In order for the passwords to remain secure, it’s best to avoid obviously ‘memorable’ password techniques, such as pronounceable strings. While that’s a much bigger search space than dictionary words, it’s harder to include punctuation – or even some numbers – in those passwords and it’s still a much smaller space than ‘eight random characters’.
For my own passwords, I use the following technique. It’s not something you can strictly enforce on users, but it is something you can include when training them on security policies.
I start with a phrase. For this example, I’m going to use ‘Stop Me If You Think You’ve Heard This One Before’, solely because the Smiths song is in my ‘Party Shuffle’ list in iTunes.
This is a nine-word phrase, which will give us a nine character password. This is a good length, and at the upper bounds of what you’d expect someone to be able to memorise using traditional techniques. This technique is simple to apply: for each word in the phrase, you substitute a character.
One possible password generated from our sample phrase could be ‘
$m!y7Yht1b‘. I’ve used number and symbol replacements for the initial letters of each word where it’s possible, but not every time so as to keep a range of characters in use. With this particular example, you could push it to 10 characters by using ‘
b4‘, which is one of the benefits of this technique – you have the flexibility of the whole English language to help generate the password. You can make full of use text- and leet-speak, where appropriate, to produce a password that both looks random and is easy to remember.
But that’s not all you can do with this technique. It happens to be an excellent example of Technopagan practice.
Before I explain why, I’m going to digress a bit about what ‘magic’ means to me.
I am what you might call a pragmatic Pagan. I’m not really concerned if ‘magic’ is ‘real’ or not – I’m concerned about the end result. It doesn’t matter if it’s spiritual forces or psychological forces. It doesn’t matter if I get a job because supernatual forces intervene on my behalf or if it’s because my believing in the possibility of supernatural forces simply makes me more confident and that confidence gets me the job.
This technique is a good example of pragmatic Paganism. By picking a suitable phrase you can reinforce a particular thought, or desire, every time you type your password. This is effectively the same as a daily affirmation, reinforcing a particular idea. Does it matter if you’re invoking a spirit or simply creating a positive mental attitude?
In my personal experience, I’ve found that using the same phrase for too long causes it to lose its effectiveness. Ideally you should change it every few months or so – and conveniently this coincides with good security practices too.
The only down-side to this technique that I’ve found is that it’s extremely difficult to discuss what you’re doing, as telling anyone the key phrase you’re using would compromise your password!