Dont confuse simplicity with the unsecure
User passwords are one of an administrator's many security headaches, especially when users put their passwords on sticky notes that hang from their monitors; select easy-to-guess passwords like a child's name; use the same, weak password for all of their work and home accounts; and/or share their passwords with others when asked. This situation can be vastly improved if you educate your users about the importance of passwords and teach them a technique for generating secure, but easy to remember, passwords.
Educate your end users
To help you educate the employees in your organization about their role in information security, and particularly the need for creating secure passwords, we have put together a PowerPoint presentation that you can download.
The secure password problem
Secure passwords must adhere to the following three principles:
- Passwords must never be written down.
- Passwords must not be predictable.
- Passwords must be unforgettable.
Since passwords must never be written down, they must never be computer-generated and given to a user. It's impossible for a person to remember six to eight characters of computer-generated gibberish without writing it down. In the real world, even if users make up their own passwords, they typically record them in their wallets, purses, or worse, under their keyboards or on the side of their monitor. To be truly secure, passwords must exist only in the user's mind.
For user-generated passwords to be unpredictable, the user must do more than just come up with some names or words that others are not likely to figure out. Passwords should be random to ensure that no one will be able to guess them. But random tends to mean "hard to remember" for users, which, again, will tempt them to write their passwords down.
If passwords must not be recorded anywhere, they certainly need to be unforgettable for the user—which is somewhat at odds with the notion that the password should not be predictable. The need for passwords for multiple systems complicates matters even further.
Consultants often recommend that users avoid using the same password for more than one system. Having a separate password for every system instead of a single password is a classic red herring issue. If a user's single password is really secure, what does it matter whether it's used on multiple systems? One secure password is clearly better than many insecure ones. Asking a user to try to remember many passwords, especially when they must be changed frequently, does nothing but force the user to write them all down.
The only practical solution is to give users a method that enables them to generate unforgettable passwords.
A secure password technique
For more than 30 years, I have taught users to create secure passwords by using the following process, which is based on the observation that a person easily forgets an unfamiliar address, but easily remembers directions based on landmarks. If I tell you to go to 123 Fourth Street, you'll immediately write the address down. If, however, I tell you to go to the large gray building next to city hall, you'll have no problem getting there without writing anything down. I apply this practical principle to passwords as follows.
Start with some trivial-to-remember words or names. These words don't have to be unusual or things that no other person would ever guess. They should be easy to remember for the user without being too obvious. Names, places, dates, characteristics, colors, or meaningful objects are just a few obvious examples of suitable words.
Next, create a translation algorithm, a simple rule or set of rules, to convert the letters (or numbers) in the words to different letters (or numbers). The resulting password will be a secure sequence of absolute gibberish, not unlike computer-generated passwords. The user will not forget the password because he or she can re-create it quickly and easily until it is memorized by frequent use (more on translation schemes later).
If passwords must be changed periodically, embed some time-related metric, like the month, the day of the week, or the year, into the password somewhere.
The user won't forget the initial word or words, and more importantly, won't forget the simple algorithm. The end result is a secure password that is difficult to forget and difficult for someone else to crack.
Using an algorithm
Keyboard translations provide many simple algorithms. Substitute the character to the right, left, above, or below on the keyboard for each letter in the starting word. For example, if we choose to replace each letter with the letter above and to the left of the original letter we have the following substitution sequence:
- A becomes Q
- S becomes W
- Q becomes 1
- W becomes 2
- C becomes D
Letters can also be substituted for numbers (and vice versa) by other sets of simple rules. For instance:
- 1 looks like a lowercase letter L
- 2 looks like a Z
- 3 looks like a backward E
- 4 looks like an A
- 5 looks like an S
- 6 looks like a G
- 7 looks like a T
- 8 looks like an R
- 9 looks like a backward P
- 0 looks like an O
The translation possibilities are endless. Dates or other meaningful time metrics can also be interspersed in the password at specific locations known only to the user. For people with technical backgrounds, numbers can even be changed to different number bases. The characters in the password can also be scrambled in some way.
Here is a simple example. Grandmother's middle name is Alice. Convert every letter to the character above-left on the keyboard, producing qo8d3. Now add the month, 07, in the second position, and the year, 02, at the end, giving q07o8d302 as a final password for the month of July 2002.
Who is going to break this password by guessing Alice, plus the keyboard translation, and the location of the month and year digits within the translated character string? The creator won't forget either the initial word or the simple translation rules. After using this string of gibberish a few times, the user will have the password memorized. The algorithm is simple and can be used with any names that are easy for the end user to remember. If chosen carefully, one translation algorithm can last for years with few modifications. Periodically, the user can even modify the algorithm without having a problem remembering the same basic password scheme.
Two other password problems occasionally raise difficulties for end users. The first is that different systems may force users to change their passwords at varying time intervals. The solution here is to change all the passwords on a schedule consistent with the shortest time interval. Say one system requires changes monthly, another every two months, and two others quarterly. The solution is to spend a few minutes once a month to reset them all to your standard password for that time period.
The second problem can be a little more confusing. Different systems may have different rules for acceptable passwords. One system may not allow numbers. Another system may require a special character. This means that the user must take a little extra time to adopt an approach that creates an acceptable password for all the systems. On rare occasions, it may be necessary to have a couple of passwords with minor differences. If, for example, one system requires numbers and letters, but another prohibits numbers, the user will be forced to create an algorithm that generates passwords with all letters and then add a number to this standard password to accommodate the system that requires a number. The same would be true for situations involving special characters.
These simple translation schemes are easy to create and difficult to forget. They can be as simple or as complex as the user wants to make them. My experience has shown that once users are presented with a few examples, even the most nontechnical people quickly develop their own innovative schemes to create absolutely secure passwords.
I strongly encourage system administrators to include an extra 10 or 15 minutes in their end-user training sessions to teach this technique. My feedback has been uniformly positive with this approach.