Choosing The Right Password
March 22nd, 2008American Express is one of the major global financial service providers and is best known for its credit card and traveler’s cheque businesses. Naturally, I was shocked to learn that the 74th largest company (Fortune 500, 2007) has such poor focus on enhancing user security for its financial account portal.
The AMEX website permits users to only set passwords with a maximum of 8 characters, with no non-alphanumeric characters supported. This is very strange for a corporation the size of American Express, and especially so for a financial services company. I figure that with these constraints, any kind of password set up on the AMEX site will only qualify as having “weak” strength.
However, I’m sure most people would not even encounter these constraints while selecting their passwords. In a study on password security conducted with undergraduate and graduate students, it was found that over half of reporting users (52.70%) never change their passwords if not required by the system. These numbers drop with increasing frequency, with about 12% users changing their password every three months.
Furthermore, some common practices have been observed to be followed by users when choosing a password. Most users only use a combination of lower case letters and numbers, where the number is usually a personally meaningful one (such as birth dates or phone numbers). Over half of all users also reported using the same password for multiple accounts (around 33% use some variation of the password).
With most websites (AMEX, for example) not enforcing stricter rules for generating passwords, user tendencies are not going to see much change. Passwords are generally considered a pretty basic form of security themselves, and therefore one should be very careful in selecting a password that effectively appears as random as possible to a potential intruder.
Password strength is the amount of security that a password can provide against password-guessing attacks, and is measured in bits of entropy.
Common guidelines for choosing good passwords, as listed on Wikipedia are:
* Include numbers, punctuation, and upper and lower case letters
* Use passwords with at least 8 characters
* Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates.
Wikipedia also lists some examples of weak and strong passwords (which are probably already included in password-cracking databases, so please don’t choose one of them for your own).
General alertness is also of extreme importance while using online portals, as even the strongest passwords are of no use when it comes to protecting users against certain forms of attacks like phishing or keystroke logging.
