Tough Passwords

We've had this talk before. Unfortunately we are sure to have it again. And again.

The first email that greeted me this morning started out with "what the hell is that password?!?". The word in question was a remote access password that had recently been changed because of the unexpected departure of a high level employee. It wasn't that the person asking the question hadn't been told what the new password was; he had. I could be wrong, but I had the strong impression that he just didn't like the complexity of it.

It was their new IT person who had reset this, and he had done it right: 10 characters, mixed punctuation, numbers and upper and lower case letters. It was a great password.

Too bad it didn't work.

I figured out why pretty quickly: somehow the email that gave the new password had "P:" ahead of it. Let's pretend the password was 23$Ca%Pk98. The email said:

remote access P: 23$Ca%Pk98

Because of proportional fonts in html mail, that ended up looking like

remote access P:23$Ca%Pk98

Blame Microsoft for that: before they stuck their grubby fingers in email, that couldn't have happened. But I digress.

I can understand the frustration of the user. He also said "please write what the actual password is more clearly". That's something I almost always do. For example, I'd usually say:

remote access 23$Ca%Pk98
numeral-two numeral-three dollar-sign upper-see lower-ay percent-sign upper-pee lower-kay numeral-nine numeral-eight

But that's just me, and I'm more apt to do that when writing with a pencil than with a keyboard. It wouldn't have helped here, because I had the wrong password too.

Anyway: I'm not certain this guy was complaining about the password. As it didn't work (at least as presented), he may have just been frustrated by that. After all, you leave work Friday night knowing you have some important stuff to do over the weekend and then you can't get in. Frustrating. Maybe that's all it was.

But at other times, in other places. I've had non-techy types complain about "hard passwords". They don't like hard to remember passwords, especially dislike hard to type passwords, and they whine and complain, and all too often I eventually get a polite email from top management asking me to make it "easier".

Sure. At lots of places, "abc123" is a favorite. The word "password" doesn't lag far behind. Those are wonderful passwords, very suitable for protecting systems. Oh wait, here's another great idea: take the company name and make that the password! No one would ever think to try "AcmeBrake", right? Ri-i-i-ght.

With some customers, I can't win: AcmeBrake it is, and that's that. Others reluctantly accept what I suggest or at least do something part way: "Acme2006Brake". That's a little better, I guess.

A little better.

Click here to add your comments




Tue Aug 8 00:29:00 2006: Subject: Then there is this...   Sledge


I worked with a guy that advocated writing passwords down. This way, he was able to enforce a 27 character at least one number, one upper case, one lower case, one special and one extended ASCII character password (j/k but almost), people would be more accepting of the burden because they had the reference. I see the logic but something in me still says they should not be written down.



Tue Aug 8 01:14:26 2006: Subject:   TonyLawrence


Well, written down where? On a card you carry in your wallet or on a Post-It on your monitor?



Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

My Unix/Linux Troubleshooting Book

My Hard Truths about Easy Money Book

My Self Employment Book

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.