Brad Ideas - When should a password be strong - Comments

Last 4 of SSN

brad — Tue, 20 Feb 2007 08:25:59 -0800

This is a common technique by many companies to authenticate customers on the phone, the last 4 digits of their social security number, the USA's national ID number "that is not the national ID number."

Just about anybody can get this with not much work, it's a stupid security choice.

???

Anonymous — Tue, 20 Feb 2007 02:12:23 -0800

What does "last-4 of SSN" mean?

Surprisingly many sites which enforce strict passwords don't
check for similarity with previous passwords. For example,
they demand at least 1 number, one capital letter, one small
letter and one special sign. (The fact that the number of
possible passwords is SMALLER if the hacker knows they all
meet these criteria is another problem.) Just increase the
"number" part by one every time a password change is forced.
(Many sites which require strong passwords force them to be
changed ever so often. I don't really see the point of this.
If it is too often, it is too much trouble, and if it is too
seldom, then the damage will already have been done.)

When should a password be strong

brad — Mon, 19 Feb 2007 11:54:17 -0800

If you’re like me, you select special unique passwords for the sites that count, such as banks, and you use a fairly simple password for things like accounts on blogs and message boards where you’re not particularly scared if somebody learns the password. (You had better not be scared, since most of these sites store your password in the clear so they can mail it to you, which means they learn your standard account/password and could pretend to be you on all the sites you duplicate the password on.) There are tools that will generate a different password for every site you visit, and of course most browsers will remember a complete suite of passwords for you, but neither of these work well when roaming to an internet cafe or friend’s house.

However, every so often you’ll get a site that demands you use a “strong” password, requiring it to be a certain length, to have digits or punctuation, spaces and mixed case, or subsets of rules like these. This of course screws you up if the site is an unimportant site and you want to use your easy to remember password, you must generate a variant of it that meets their rules and remember it. These are usually sites where you can’t imagine why you want to create an account in the first place, such as stores you will shop at once, or blogs you will comment on once and so on.

Strong passwords make a lot of sense in certain situations, but it seems some people don’t understand why. You need a strong password in case it is possible or desireable for an attacker to do a “dictionary” attack on your account. This means they have to try thousands, or even millions of passwords until they hit the one that works. If you use a dictionary word, they can try the most common words in the dictionary and learn your password.