One for the IT bods here.
A few weeks ago on Twatter, I posted this tweet:
Here’s the screenshot in better detail:
It genuinely made me laugh and call colleagues round, but despite the witty use of a Spiderman quote, there is of course, a serious message there: the superuser has great power:
so you probably want to make the password secure, huh?
They did. They added cracklib (a password-checking library) checking, resulting in this situation, where it’s actually quite hard to come up with a password complex enough, and people suggest a way to bypass it.
Now that’s all well and good, but do you know what I did with my complex password (one special character, a capital letter, a number, 8 letters and another special character)?
Well, specifically, I whinged like fuck, then I wrote it down. On a post-it note. Exactly what you shouldn’t do.
Irritatingly, the vMA appliance also didn’t like “correcthorsebatterystaple” either (this appliance was being used for a test- seriously, you shouldn’t use that password now):
Putting aside the serious message at the bottom of the cartoon- that complex passwords are not that effective against cracking- it’s highly significant that the complexity rules made me break the rules- and I have to remember many passwords, so I’m probably not that bad at it.
Of course, I’m not suggesting that we all make passwords easy to guess- that leads to all sorts of fun- but clearly this is counter-productive. If someone’s determined enough, has access, and a system doesn’t detect the attack, then chances are they’ll crack it, so it’s wise to not re-use passwords across sites and or systems, though of course if complexity rules make passwords hard to remember, chances are the user will choose one complex password and re-use it. This probably means we’ll see more two-factor authentication, which also gives a defence against keyloggers, meaning the attacker will have to revert to social engineering…