I really like when I get in the flow of things. When your outside interests coincide with your work/job, it can sometimes make your world feel like a coherent whole. It's a good feeling.
I had one of those moments today. The tie-in came with my recent Scrabble interest and the generation of stronger passwords. Everyone knows the rules for creating good passwords. But, most people only follow the rules that are enforced electronically. Everyone wants a password that's easy to remember, but hard to crack.
Now, define "hard to crack..." Most users (creating their passwords) define it as "something no one will guess." Well...guess what? A computer is not a person. A computer doesn't have to guess. It can just try all of the most likely suspects. It doesn't take very long for a computer to test every combination of all the words in a dictionary coupled with numbers and special characters. This is what computers do...and they do it well. If you add a check for substitutions along with the words, it will take a little bit longer. But, it will still take less time than you will take on a typical crossword puzzle. [An example of a substitution would be the password: Pr1c3le$$ for Priceless]
Sometimes admins and security professionals have to walk a fine line between strength and usability with regards to passwords. Make the rules too easy and the account gets hacked. Make the rules too hard and users leave sticky notes under their keyboards. And sometimes admins have no choice and are required to follow whatever policy the business decides to institute.
And so one day...a decree came from above that the passwords need to be strengthened. Sometimes at work I hear the distinct voice of "7 of 9" stating, "Resistance is futile. COMPLY." The worst part of the compliance regards the implementation of this policy. We click the button. You make a good password or you get an error message. The error message doesn't tell you *why* the password doesn't meet the requirements - just that it's unacceptable.
Note 1: This frustrates users after the fourth try. Note 2: It takes more than 10 attempts for most users to create a password that meets the criteria. Note 3: We get blamed for clicking the button.
Call me soft, but I do still pity the mere mortals of computing. I witness their pain (read: I have to hear them whine and scream at us). So I created an email to explain all the rules that the new passwords need to obey. I also included a link to a random password generator to assist them in their time of separation from the Password Muse. I was ready to hit the "send" button when we were graced with a visit from Irate User.
Irate User: I tried to change my password and...yadda, yadda, yadda...
Me: Go check your email. I'm sending something out about it right now.
Irate User: But, I *know* I had a valid password and followed all the rules and it *still* won't work. Something *must* be wrong.
Me: Check your mail.
Irate User: But, I *know* it's a good password. [Shows password on sticky note] Now *you* tell *me* how that's not a good password. HA!
Note 4: Never think you know more than a computer.
Irate User's Password (partial): ***14LL3*
Me: What's this here?
Irate User: [reads password aloud]
Me: Ah. There it is! 4LL
Irate User: 4LL? (Now he's *sure* he knows more than me and the computer since he *knows* that's not a word...)
Me: Yup. 4LL spells "ALL"... "All" is a word. There are no substitutions. People substitute numbers for some of the letters. 4 substitutes as an "a"...
Irate User: Ooooooooohhh. I didn't know that.
Me: It's in the email I sent that I told you to go look at.
[Irate User backs out the door bowing to the Geek Goddess all the way...]
One of the other things that I included in the email was an example of some common Scrabble words that are uncommon to non-players. I explained that words like ORT, QAT, QUINDAR and XIS *are* words and cannot be used.
To spoof the Cisco ads: I am more than an admin. I am a Scrabble player. I am a blogger. I am an online denizen. I know the odd words. I know letter combinations that are unnatural. I am not afraid to speak electronically in front of many people and explain computing. I know the tricks that ScRiPtKiDdIeS and H4x0Rz use. I know LOphtCrack is not a designer drug. I am more than an admin.
And yes, I'm enjoying the moment. Tomorrow I have to face a pouting printer that won't accept any print jobs. My guess is that the printer is having a career crisis and it just needs a little counseling... I'm bringing my Sage Smudge sticks.
Posted by BlueWolf on June 23, 2004 09:49 PM