PDA

View Full Version : Online service passwords

tslogf74
27-07-2004, 16:23
What's with all the crazy rules that websites have when it comes to choosing a username/password?

I can understand security issues like it must contain at least one number, but why does it have to start and end in a letter and be all in lower case?

For me, this just makes it increasingly hard to remember my various passwords.

I suppose you could argue that it's more secure if I don't use the same password for everything... it just might be a little over the top if it means I have to get my password reset everytime I want to log on.

Anyone work for, say, a bank's IT department who can shed light on the reasoning for some of these rules?
JoeP
27-07-2004, 18:02
If you have a password that is a word that appears in a dictionary or a list of names, for example, then it can be compromised by what's called a 'dictionary attack'.

Basically, passwords typically go through a process called hashing that converts the password to a string of goobledegook which is stored in the web site's database. If a hacker knows the program that's been used to generate the hash, they can take a list of words and hash each one in turn until it matches the hash code in the database. Because the hash process typically maps one password on to one hash, the word that generates the hash code is usually the password.

By adding numbers and mixed case letters you defeat this simple approach.

Start and ending with a letter, and specifying a case, would actually REDUCE the safety of a password by reducing the sie of the search space for a 'brute force' assault where you simply throw random collections of letters and digits at the database.

A long, non-repeating password made up of mixed letters, digits and cases can be quite secure. You do need to make sure that thepassword isn't in a dictionary or can't be guessed from available data about you.

So, if your user name is John Doe and your birthday is 1st January 1976, bad passwords would be :

JDoe0101197
JohnDOe
Sex
Girlfriends Name
Cats Name

Good passwords that would be memorable might be :

SParkle23Gnome
poodlescum23
bartle23

Those pass words would not appear in a dictionary search.

You shouldn't use the same password for all your accounts, because if one system is 'weak' and is compromised, people could try your user name / password on other systems.

This is another reason why on some systems you are encouraged to use different user names as well.

E.g. Banking systems will often generate you an arbitrary user name, then ask you for a key word, then a password.

Hope this helps

Joe