It has been a little over a week now since the Twitter password hack, which we now know to have been hack allowed by a system design flaw in the authentication system used by them, combined with human factors. A standard dictionary attack was used with a list of known words (combined with single or double numbers) to gain access blindly to a system administrator account on Twitter. This was a further confirmation that having a password strategy as I described last week is a damned fine idea, particularly with online services which unknown to you may have the same flaw – a susceptibility to dictionary password attack. Remember, not words…

The recent Twitter hacks and the password change that ensued brought to mind approaches that are followed for password management. Now please forgive the heresies I am about to commit.

The standard approach to password management is to have a complex and different password per service and change it often… like once a month. This turns into a complete nightmare today with the growth of the cloud and online services. Even the least evangelical technology user has got to have more than 10 different logon credentials, and to be honest I bet that almost all have a single password for every single one of them… except where technology forces difference such as differing reset periods and different formats (some allow four characters, some require eight, some need upper and lower case with numbers etc). Of course you can keep a account/password list protected by yet another password but that just stays off the problem. What about OpenID and other single sign on technologies? Nope, that is not working either as their are still too many different systems in use.

So what is better? And this is where I am going to commit the second heresy.

Firstly a word about the passwords themselves – they just have to not be words and be made up of pool of characters that is sufficiently big to make it hard to guess. All this numbers and symbols stuff that you see off people is not always required to do this – heresy number One. I find a good way is to make up the password from a set of syllables which makes it easier to remember, because writing them down is both a pain and a major risk – for example:

tor – ver- nop

Anyway to reduce complexity, the better approach is to simplify your account/password usage and do a bit of risk and impact assessment in there as well setting a password for low, medium and high impact/risk services. So what do I mean exactly?

First create the Low Risk one – one you shall use for all services that you have to register with but that are not a real life problem if you have it hacked. These are things that do not involve money, that are just for storing preferences or similar. This password never changes unless you feel the need to. This should work for 80% of all web site access in my view. Making it around 7 to 8 characters with an optional single number (for those sites that do insist) is what you need.

Next create the Medium Risk one, for those sites that involve some risk to your financial or reputation well being – a much smaller number of sites, probably the next 19% of them. This password, being less trafficked, becomes more secure and you can also decide how often you want to change this one. Changing it on a small number of sites is so much less of a chore, and I do recommend a minimum period of one month and a maximum of three months.

Next create the High Risk one, for those sites that involve major risk to your financial or reputation well being, the final 1% of all the sites you visit that require authentication. This password being seriously less trafficked is also then more secure and easy to change often (probably monthly). Also in the event of a breach or accident, you can change passwords quite rapidly for this small number of sites.

Of course, you also have the seriously High Risk sites – these will still require a unique password and are such things as banking or company network access or even the main logon that your Home Router uses with your Internet service. To be honest most of these will have another control involved such as a hardware logon device – or at least I hope so.

You will need to always assess each new service for financial, functional impact or reputation well being to decide which password to use, but in the end you will end up with a small number of passwords to go with the user account names for each service. In fact, you could end up with two active passwords for 99% of all your Internet usage, and feel reasonably safe. Remember, not everyone has to live in Fort Knox, you only have to leave your gold in there. What do you think?