Passwords are hugely topical at the moment, of course, after hackers were alleged to have leaked more than six million member passwords from social networking website LinkedIn. You might even have had to change yours as a result.
The truth is, we're over a decade into the 21st century and people STILL don't 'get' passwords. In the online world we're increasingly asked to come up with unique strings of letters and numbers in an abstract way: "between 8 and 16 characters in length and containing at least one capital letter and number". We've also got lazy.
Many users reuse their passwords in multiple places, each time dramatically increasing the chances of it being discovered. Not only that, but we also have a terrible habit of trying to use dictionary words with numbers instead of letters. "3lephanT" for example would be considered secure for many services, but in fact it's all too easy for a computer armed with a dictionary and a list of common substitutions to crack.
The alternatives to DIY
The common alternative to allowing users to come up with their code is creating one for them. This solution, while much better than letting people invent their own password, creates its own problems. People underestimate their ability to remember passwords and fearing exclusion, they note them down somewhere. We all know how insecure this is, so how do we introduce a better system?
Try talking to your employees; educate them on the implications for the business of insecure logins. Then together, come up with a workable solution.
You can use security software that includes a password vault in the cloud, or subscribe to one separately, eg LastPass or KeePass. These apps will even offer to generate strong, random passwords for you.
Another option is to encourage the storage of passwords in a physical form, the challenge is to do so securely. This could be as simple as locking a notebook with important passwords in a safe or as complex as creating a system whereby passwords are shown as innocent notations in a dictionary or other book. For example, to keep tabs on my StartUp Donut password I noted down either a reminder, or the password itself in or around "doughnut" in my Oxford English Dictionary. You can take this idea further by introducing ciphers, choosing passwords based on words in the surrounding text or even by choosing a word that's not directly associated with the subject matter.
Or you could stick with nonsense passwords but encourage your employees to take care in remembering and selecting them. Often phrases can be reduced to initials and thus remembered without too much hassle (or the reverse can be true, a mnemonic can allow users to convert a forgettable mess into a memorable sentence).
Perhaps security might be better served by, instead of insisting on a hybrid string of characters, encouraging longer chains of words. This page from XKCD was intended as a joke but it illustrates the points I'm trying to make clearly.
If you're really interested in this subject there are a couple of articles you can read. The first is the recent study by Joseph Bonneau on 'The science of guessing' where he looks at the passwords of 70 million people and uses their (anonymised) data to draw some interesting conclusions. While Fareez Ahamed has delved into some of the leaked Twitter passwords and provides an insightful statistical analysis of his findings.
If you've found an effective way of keeping logins safe, then please leave a comment.
John Sollars is MD of printer ink retailer Stinkyink.com