Find solution
How Secure Is My Password?

How far we should push end users using secure password?

  • Everyone knows that its good to have secure password, but very few people actually has it. Where are the limits, for common web service provider (managing users accounts), to enforce end-users using secure password. I know people who would say its user responsibility, so they can use login:pass like admin:admin if they want. Up to them if something goes wrong. Personally I use KeePass for all my passwords and basically most of them are very strong. So where is the balance? How much we can push and not be annoying? What's your acceptable limits (mix of letters&numbers, mix of cases, min. length, etc.)? Update: Would you rather prefer external authentication provider like Twitter, Facebook or Google login instead? 2Update: I seems to that we pushed too much as we are lowering our strategy of secure password to only one limitation; minimum lenght will be 6 chars. Will see how this is gonna work.

  • Answer:

    You should push them to use full 8 length passwords.  This should be a mix of upper case, lower case, numbers (or special characters).  This will generate a great deal more entropy in the potential passwords.  See the section that I've bolded below. However humans are humans and if you push too hard, you'll get serious blowback.  I would push this slowly... maybe every 6 months, make the password complexity requirement a bit tougher than it was before. You need to write this into your security policy and ensure that all servers, computers and devices enforce the policy as well. Entropy as a measure of password strength It is usual in the computer industry to estimate password strength in terms of information entropy, measured in bits, a concept from information theory. Instead of the number of guesses needed to find the password with certainty, the base-2 logarithm of that number is given, which is the number of "entropy bits" in a password. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss. Put another way, a password with 42 bits of strength would require 242 attempts to exhaust all possibilities during a brute force search. Thus, adding one bit of entropy to a password doubles the number of guesses required, which makes an attacker's task twice as difficult. On average, an attacker will have to try half the possible passwords before finding the correct one. http://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength

Andrew Lemke at Quora Visit the source

Was this solution helpful to you?

Other answers

Sadly, I have to say that the most of my co-workers are using WAY too weak passwords, even though the policies are saying that a minimum length of 10 is necessary, and you have to use at least 3 out of 4 categories (aA0!). I think this is because of the validity period, which is set to 42 days. I don't think we should consider pushing user passwords any more. Even though it's just a game, take a look at World of Warcraft, they are giving away RSA-Tokens for any reason (Collectors pack, Minipet, Invite friend on special event...). Google has also implemented a function like this. With a common user password (length of 6 in minimum) and a RSA-Token all would be much more secure. It's also amazingly easy to implement, consider using a Token-Generator at your mobile, this wouldn't even cost a penny.

Mario Dengg

The problem here is not how long or complex a password is, it is how people deal with them. First off, most people use a simple or repetitive password so they can remember it.  You may get them to use a more complex one, but to be truly secure you need to require them to change it periodically.  This creates a new problem, the password is written somewhere maybe not so obvious but not usually too hard to find.  I travel to many different places to work on computers and one of my tricks is to look around for a slip or note on the desk with the password.  In nearly every case where the password is complex and non permanent, I can find it written locally. Second, when required to change a password periodically, users frequently will change only a small part, like an ascending sequence.  Sure, you can prevent this, but then you get the written password problem again. Even the techs and administrators are guilty.  They may have a password that changes also, but in many cases, there is an standard administrator login that doesn't change that can be used as a general login. Passwords are not all that secure, no matter how complex.  We were periodically tested on our network for password strength by running a program to break easy passwords.  But the program is limited and stops at a point.  Dedicated hackers have none of those limits and would be able to blow away most passwords we consider safe.  Keyloggers are another problem.  Some are malware, but others are installed by employers.  Hack a keylogger, and you get a whole list of passwords.  A better solution is biometrics or smartcards, or, as Mario states, RSA tokens.  While these may still be hacked, the likelihood is much less, given the ability to shift encryptions and recode smartcards. This solution may be impractical for many small businesses or users, so allowing simpler passwords is better than the alternative.

Jeff Kay

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.