Obscenities in Passwords
El Reg reports that “Pipex invites customer to get ‘c**ted’” in which the generated passwords that the Pipex system suggested contained a rude word. A screenshot is available on the Register article.
There is, however, a second obscenity here that is far more subtle.
That obscenity is in the password selection advice and suggestions. The advice is:
We highly recommend you include at least one of each of the following to make your password more secure:
- A capital letter
- A lowercase letter
- A number
In case you’re having trouble thinking of a new password, here are three that might be suitable.
Of course there’s the amusement factor of the rude one being described as “might be suitable.” I will note that ages ago when the world was young, some operating systems allowed vetting of generated passwords to avoid precisely this issue.
But that brings us to the two obscenities in the three suggested passwords. As you, Clever Reader, have no doubt already noticed, all three of the suggestions are eight-character passwords that are a capital letter followed by six lowercase letters followed by a digit.
Naïvely, they thought that this would be more secure than just lower case. However, there are 80,318,101,760 total passwords using their scheme, and 208,827,064,576 total passwords if you just use lowercase. The latter number is 2.6 times as many passwords.
In case you’re bored with math, eight lowercase numbers is 268 total possibilities. In the latter case, you are trading 26 lowercase possibilities with 26 uppercase possibilities in the first character, so there’s no actual improvement. Combine this with replacing 26 lowercase possibilities with 10 digit possibilities in the last character. Thus you have 267 * 10. Dividing them out, a lot of 26s cancel, leaving you with a ratio of 26/10 or 2.6. (If you are not only bored with math but bored with people explaining math, skip this paragraph.)
Here, then, is the second obscenity. Pipex customers are less secure for taking Pipex’s advice.
This is also the problem with trying to increase the number of characters people use in a password. If you tell them to use a capital letter, they will capitalize the first one. If you tell them to use a digit, it will usually be the last character and usually be a 1. If it’s not a 1, it’ll be (ooo, this is so cool) “4u” or equivalent.
In short, when you convince people that using their dog’s name, at best they move from “fluffy” to “Fluffy14me”.
Photo “#26 Power street” by jnoc.
I think this is a case of advice being parroted so many times that the original reason for it has been forgotten. Originally, the reason for telling people to include a digit or punctuation mark in their password (and other “password complexity” rules of this ilk) was to ensure they wouldn’t use a simple dictionary word. The set of English words is much smaller than the set of random strings containing letters and numbers, and many an automated tool has broken into accounts by simple naive guessing of words from a dictionary. As you point out, though, this doesn’t help at all if you’re randomly generating the password to begin with.