The stronger your passwords, the more secure your system is. In the SQL Server space, many exploits take advantage of weak or nonexistent sa passwords—which is why Microsoft made the default installation of SQL Server 2005 supply an sa password by default. However, for end users, strong passwords are a two-edged sword. Although strong passwords make for better security, the stronger the password, the more difficult it is to remember. In user workspaces, you inevitably see sticky notes full of impressive-looking, difficult-to-remember passwords—attached to the edges of monitors.

A study conducted by researchers at the Cambridge University computer lab both confirmed and debunked several common beliefs regarding user password selection. This study compared the value of strong random passwords with mnemonic-style passwords. A mnemonic password is a word you construct by using the first letters from a sentence. For example, "My 1st mnemonic password is cool" would be "M1mpic." The first finding confirmed what we all know: Users have trouble remembering random passwords. Sixty-six percent wrote down the random password to help them remember it. Next—no surprise here either—the study confirmed that passwords based on mnemonic phrases are harder to guess than passwords that users select from common words or names. The researchers cracked 32 percent of such user-selected passwords by using simple dictionary and brute-force attacks.

The Cambridge study also debunked several myths about users and passwords. First, it showed that randomly generated passwords aren't stronger than mnemonic passwords. The successful cracking rate for 6-character passwords of each type was roughly equal. Another myth that the study disproved was that mnemonic passwords are harder to remember than passwords that users select based on common words. As measured by administrative password-reset requests, mnemonic and user-selected passwords had about the same reset rate. However, randomly generated passwords needed resetting 8 times as often. You can find the Cambridge study at http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf.

However, several pieces of compelling evidence suggest that pass phrases give better security than even strong passwords. Pass phrases differ from mnemonic passwords in that they're full words and contain spaces. The pass phrase "My 1st mnemonic password is cool" is 27 characters, versus the 7-character derivative. Windows and SQL Server both support pass phrases. Windows allows 127-character passwords, and SQL Server's mixed-authentication mode supports passwords of 128 characters. Passwords, though shorter, can be cryptic—especially strong passwords that combine upper and lower case letters, numbers, and special characters. Pass phrases are longer but easier to remember. As a rule, longer is stronger, so the length of pass phrases makes them more difficult to crack than passwords. And because the phrase means something to the user, it's less likely that the user will write it down.

Strong passwords are certainly better than weak ones, but it's time to consider pass phrases as an alternative to passwords. In the technology game, people and processes almost always trump technology. Pass phrases strike a good balance between usability and security. They're long enough to provide good security, yet friendly enough that users will remember them more easily than stronger but complex and meaningless passwords.

End of Article


You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

I use and encourage "password alogrithms" rather than phrases or words. In this approach, First select a long number that you can commmit to memory but which is not likely to be known to others. For example, your mother's SSN or the 10 phone number of a school you attended. Second choose a transform or set of transforms to process the number. An obvious choice is to subsititute letters O and l for numbers 0 and 1. Others include alternate the shift key, insert spaces after Odd/Even/prime digits, start in the middle and work around the number clock or counter clockwise, spell out one or more of the digits, ..... I combine several of these techniques. I have 3 or 4 "significant" numbers that will stick in my mind and I choose a "MangleRythm" based on the purpose so my voice mail pin is pretty straight forward but my work server logins are rather beastly. For example, "*oO2^m7U&@" is derived from 8002667872 which is 800CompUSA.

Anonymous User- February 18, 2005

Article Rating 3 out of 5

Interesting stuff, but how many times do you have to type a password or pharse into a system each day? For me it is quite a lot, so the typing mistakes on a pass phrase will waste a lot of time and risk potential lockouts. Good idea, but not sure it is practical for many users.

Anonymous User- March 06, 2005

Article Rating 4 out of 5

Similar to the "MangleRythm" suggested on 2/18/05, I use the so-called hacker "l33t" language to transform an easy-to-remember password into something that meets strong requirements. All sorts of creative combinations are possible.

Anonymous User- April 03, 2005

Article Rating 3 out of 5

The ideas help out a little with what I think is the main problem: lots of passwords. I have an easy time remembering my passwords, no matter how arcane they are. But I usually need to type in 3 or 4 of them for rarely visited places before I get the right one. Some of your suggestions could help out as long as I came up with a mnemonic standard.

Anonymous User- April 25, 2005

Article Rating 4 out of 5

 
 

ADS BY GOOGLE