Saturday, 27 August 2011

Password with eight characters

It was the best joke at the Edinburgh Fringe, as reported by the BBC and others. Comedian Nick Helm won an award from UK digital TV channel Dave ... and stop me if you've heard this one ...
I needed a password eight characters long so I picked Snow White and the Seven Dwarves.
This got me thinking about passwords. (Yes, there had to be a reason for telling a joke in this blog.) We're interested for two reasons: we need passwords of our own and we set up systems where users need passwords.

Googling choosing passwords brings up over 7.5 million results. The top one, from lockdown.co.uk, is a good summary. I won't go into details about my personal password strategies but I will admit two things:

I have a little program, called Xyzzy, produced by Haxial software ... this can generate pronounceable but imaginary words, with optional numbers added. Unfortunately, Haxial no longer exists although Xyzzy is still out there on the web. An alternative, online, is a Java-based generator from Multicians and there is a JavaScript option.

Passwords are a balance between being able to remember (because we never write them down do we!) and being difficult/impossible to crack or guess.

The infamous hacking song from the BBC's Micro Live put it like this ...
Try his first wife's maiden name,
This is more than just a game,
It's real fun, but just the same,
It's Hacking, Hacking, Hacking.
I recommend you follow the Wikipedia link as it tells you how the hackers got into the system ... and I bet it's not what you think.

My second admission is to put punctuation into passwords ... this includes plings (!) and circumflexes (^) and other seemingly esoteric things. This is a good practice and is the reason why you should not restrict your web site users to alphanumeric characters. The 'difficulty' of a password increases geometrically with every character in the string but also every character that could be in the string, so using anything you can get your fingers on makes sense. But stick to characters in the character set your webpage and server are using: the odd bit of Tamil probably won't work in Europe.