http://qs1969.pair.com?node_id=27936


in reply to Ethics of Passwords

A desktop admin at a place where I used to work had a lovely scheme for default passwords: a sequence of four digits, followed by a licence-plate-type combination of letters from the user's first and/or last name.

So, for example, a user with the name Andrew Johnston would be given a default password of 0714jstn or aw9901Jn, or 28drej82, etc.

Sure, it's not exactly as secure as a fully random password, but it's easier to remember, not as likely to be changed to 'nameofgirlfriend', and still pretty hard to guess -- especially if a couple of $'s or &'s were to be thrown in..

Replies are listed 'Best First'.
RE: RE: Ethics of Passwords
by KM (Priest) on Aug 16, 2000 at 17:12 UTC
    While I was stuck in traffic last night staring at license plates I thought of this post. This is a likely bad idea for a password scheme. Why? Because anyone who knows the scheme can more easily crack a password. If I know you will be using 0-9 in four places, and letters from a name for the rest, I know that if the name is Sam Jones there are only 17 (10 numbers 7 letters, since the s is repeated) possible characters per place, with only 4 of them being digits. So if the password was between 8 and N places, you can do the math to see the finite number of possabilites. And, as some of us know, people don't change easy to remember default passwords unless they are forced to :)

    Cheers,
    KM

      You're right, of course.

      But I should have clarified my thoughts. Notice how I mentioned sticking non-alphanumeric characters into the mix? The scheme I mentioned would not work if it were used precisely every time. But I think it's a good general idea for generating passwords , at least for low-risk access, like desktop workstations in the marketing department.

      Take a pseudo-random mix of letters that's pronounceable or has a meaningful association in case it's forgotten, and add several arbitrary numbers that have a pattern (like 6786 or 1641), stick in a punctuation mark or two, and you have a decent, hard-to-break password. But that's just common sense, I guess.

      Of course, arbitrary-length passphrases are so much better and easier to remember...

        Take a pseudo-random mix of letters that's pronounceable or has a meaningful association

        I would worry that would end up being a dictionary word.

        and add several arbitrary numbers that have a pattern

        Patterns are easy to find (didn't you see the movie Pi? ;)

        stick in a punctuation mark or two

        Same as using numbers, simply have to add the punctuation marks into the cracking algorythm.

        I'm not knocking you here, just that it is like you are trying to contrive a password creation sheme which isn't random, has a finite number of possabilities (especially when you use letters only in a persons name), and whose patterns could be figured out. There is nothing better (that I know of) than simply giving a totally randomly generated password. When the user changes it to 'ilovecheese', is when there is a problem :) (of course you can set rules against that happening).

        at least for low-risk access, like desktop workstations in the marketing department.

        That isn't really low risk. I am sure Adidas would like the marketing info from Nike :)

        Anyways, we aren't talking about Perl now!

        Cheers,
        KM