Everyone hates your insecure password rules

Nick Summer spent an entertaining afternoon with William Cheswick, author of Firewalls and Internet Security: Repelling the Wily Hacker and a godfather, at least, of modern password policy. It’s a follow up to an earlier piece about how broken password systems are, while offering a peak at what Carnegie Mellon University’s cyber-security-research department and others are doing to fix it.

Passmaps. Users pick a geographic location special to them─like a small lake in the Adirondacks. Zooming way in on Google Maps, the user copies the latitude and longitude. This creates a long password, difficult to guess, that the user doesn’t have to memorize. Mine might be 40.730487,-73.984431.

Passgraphs. This one’s not exactly user friendly for anyone who hated math class. It requires you to zoom in on a particular point in a Mandelbrot set and use those coordinates as your password─basically, the same idea as passmaps above, but it doesn’t require any interaction with a map service owned by Google or Microsoft.

Passwords transmitted in plain sight. Baseball players, Cheswick notes, use passwords all the time: they take elaborate signs from base coaches in full view of their opponents, fans, and TV viewers. They look complicated, but hey, if dimwitted jocks can use them, there must be an underlying simplicity that anyone can master, and that would obviate the danger of bad stuff like malware and keyloggers.

Even in a best case scenario these solutions are all impractical today, and quite possibly for the foreseeable future but Cheswick says it’s still a problem worth thinking hard about, and I’m sure your users would agree. As the recent Hotmail phishing attacks reminded us, for far to many users “123456″ is still the last line of defense.

Fortunately, for those that still must deal with passwords, both as administrators and users, the ITKnowledgeExchange forums have plenty of advice:

• On requiring or even allowing spaces in passwords
• On encryption with passwords, both strengths and limitations
• A discussion on the pros and cons of swapping fingerprints for passwords
• On the law and encryption

So, how would you do away with passwords if you could? And what are you doing in the meantime (read: the real world) to make them an effective security measure and not a PITA? Let me know in the comments or e-mail me at Michael@ITKnowledgeExchange.com.