Wulf's Webden

The Webden on WordPress

Password Groups

I am still waiting for the results of the Digital Forensics course I was studying earlier this year but I started my third Open University module a couple of weeks ago: M811 Information Security. This one makes use of the course forums mandatory, counting for part of our final mark, and so they have been very busy. It is a job to keep up but also stimulating, with thoughts firing in all sorts of different directions and one area I have been covering is passwords. Received wisdom is that your passwords should be long, contain a mix of character types (preferably upper, lower, digits and $pecial) and be unique for each place you use them. In other words, each separate login should have its own associated password.

If I’m allowed to breathe a little heresy, is it so bad to use the same password in more than one place? In an online context, a tool like LastPass is fantastic – for accessing online services it doesn’t matter that you have to be online to get the password as you also have to be online to use the system. However, I do sometimes fudge the matter to think of ‘system’ as a wider entity than ‘computer’ and use the same credentials for a group of machines so that, where I need to manually type secure passwords, I only have a small set to remember (still periodically changed but with that change propagated across the set).

And, after all, isn’t that essentially a reduced version what a single sign on (SSO) system is doing in a generally accepted manner – a single point of failure for logging in across multiple systems? Of course, I’m not going to tell you which sets of systems those are or how many points of entry each one contains.

The two places where I absolutely agree that the unique password rule is essential are for key systems (like email accounts which can be used to authorise a password reset somewhere else – if that is compromised it allows lots of other things to be unlocked) and for ones where you’ve got any concerns about how well they look after your data (so, for example, TalkTalk but also similar companies which might have similar weaknesses) and, since all those systems are online, I think there is a lot of value in finding a password vault you trust (see, for example, this fairly recent round up) and work towards having all your online passwords that you never need to type in manually as long, random strings of characters.

  • Peter Webb

    I definitely have “groups” of passwords, which relate to how critical the security of the access is (one is even so low that the password is a simple one like letmein) and using rotating substitutions as I go through iterations of the more complex ones.

    I have been seeing things around in recent years suggesting a pass phrase (rather than word) is better. It has been suggested that it beats simple dictionary attacks but, more importantly, is easier to remember.
    I use a variation on this for some passwords with at least 3 elements, the core of which are
    1) a secret
    2) an encoding of when it was last changed
    3) a contextual element

    e.g P@ssw0rdValentineDisqus for one changed in February

    This makes it easier for me to work out the correct password in a few guesses even if I have not used that login for 6 months or more, especially on systems that insist on regular changes.

    The problem I have with password managers is the edge cases…

    Although autofil is useful it does not always happen, especially if the login is not actually in the browser, and there are some logins that do not allow the paste function in the password box.
    I find it easier to actually remember several small components.

    What really trips me up are places where there are what I consider odd rules, like the one that wouldn’t let me have anything other than a letter as the first character even though it insisted numbers and $ymbols should be components and the one I found recently with office365 where there is a relatively short maximum password length of 16 characters ( so P@ssw0rdValentineO365 would not work).

    • basswulf

      Using a password scheme can work well – another trick (although not one I use myself) is to remember a core password and then write down a unique addition to keep handy, thus requiring the bit you’ve recorded and the bit that you’ve memorised to work.

      The problem of any scheme is that it degrades rapidly if an attacker can gather several passwords from the set and start to triangulate their guesses.