weak-passwords You might be thinking to yourself, I already know how to generate a secure password. This is too basic to be reviewing with technical people like me. A couple of years ago I might have thought the very same thing.

I was instructing clients on generating passwords, had a password policy internally for my team and was almost certain that passwords weren’t really a big concern for me or my MSP.

Then came a password reset. Like many of you that are too busy to realize your password was about to expire, I occasionally forgot to change my password while working in my MSP and often had to rely on calling into the help desk to get a password generated so that I could hurriedly connect to my accounts and start my day.

The passwords generated were often random and relatively secure—at least secure enough for me to log in and change within 10 minutes of receiving it.

But what I found as I called in repeatedly over months and years was that occasionally I would get ahold of a technician that seemed to give out an easy password that they had been using for every single user password reset since starting the my company!

Why am I bringing this up today?

I just called in to reset one of my password this morning and again encountered the weak generated password!

When I called in a very friendly guy answered the phone and was able to help me on the spot (I greatly appreciated this!). But when it came time to reset my password, I nearly spit out the sip of coffee when hearing the password spelled out.

Welcome!

Yes, I did recognize the password as something on the top 10 or 20 most-used password list. And yes, I was completely shocked that this password was being used (and when pressed, the tech admitted that he had been using passwords like Welcome1! for all of his password resets).

Why in the heck was this guy giving me such an easy to crack password?

In his mind, he figured the more complicated the password, the harder it would be to communicate. He also assumed that I would simply reset my password immediately after changing it.

The other reason he preferred easier passwords? Password generation is hard. It’s hard to come up with new phrases and it’s hard on the users to record and verify that they’ve perfectly recorded every character, capitalization and symbol. Easy passwords make for easier work on the front end of resetting user credentials.

What this tech didn’t realize is that with busy users, getting them to change their password after resetting it might be harder than they’d imagine. Some executives I work with in healthcare hardly have time to make calls for password resets, let alone make sure their password is changed a second time after calling in get one reset.

More likely than not, they will stick to what they were given—with the best intentions to reset or change it later (or not).

We all have requirements for passwords—upper and lowercase letters, numeric, symbol. But how can we make an easy strong password?

The latest password guessing software is far more sophisticated than simply guessing at random. Lists of millions of password phrases (like Welc0me1!) or patterns found in passwords. Regardless of uppercase and lowercase, any ‘expected’ password (even where a letter or two are exchanged for numbers) is going to be cracked. And if your techs are sharing these passwords with executives or busy users unwilling to change their passwords, you’ve just opened a door into their network (and maybe yours!).

One of the greatest strengths of a password comes from variety—there are 47 keys on a standard US keyboard with two possible output characters usable for a password. The more variety (especially with obscure areas of the keyboard) the less guessable the password.

Another of the strengths of a password comes from its length—as probability theory reminds us, with every addition of a character in a password multiplies the amount of work a password guesser must do to break it. A three character password made up of the English alphabet would take just over 140,000 tries to crack. With 8 characters using the full 94 character keyboard leads to 722 quadrillion (or 1,000 trillion) guesses.

While we can certainly get into using passphrases and other password tricks to creating passwords, the easiest way to generate strong passwords on the fly is through a password generator.

A few tricks:

  1. Limit characters that are hard to read—as you know, several keyboard characters might be hard to distinguish if you were reading them off. For instance, the lowercase L and the letter 1 often are hard to discern. O and zero are equally hard. Most password generating software allow you to limit hard to read characters when generating your strong password.
  2. Set standard lengths for user reset passwords—make sure that everyone on your team is using a minimum number of characters when they generate passwords to ensure they are hard to guess.
  3. Confirm identities when a someone calls in for a password—I know this is not dealing with actual password generation, but validating a person’s identity by verifying information or calling them back on a known phone number are good ways to ensure you are legitimately resetting passwords.

If you have any questions about passwords, password generation, or integrating a password generator into your password reset process, please let me know. While the concept of a secure password seems basic, it’s often a hard area to get right most of the time simply because we’re all busy and have harder tickets to resolve.