Security Manager's Journal: Thinking about passwords

The passwords most people choose could be stronger, but providers need to make it easier to create really strong passphrases

Lately, I've been thinking a lot about passwords. Several of my friends and colleagues have had personal passwords stolen somehow, and their email accounts were broken into. For some reason I can't understand, the password thieves have used the stolen email accounts only to send links to malicious websites to various people on the victims' contact lists. Seems to me they could do a lot more damage. After all, isn't it kind of obvious that a friend's email account has been hacked when you receive a message from his address that contains nothing more than a seemingly random URL?

In any case, these account takeovers have led me to wonder how the passwords are getting stolen. At first, I assumed the victims chose easy-to-guess passwords (like a variation of their account name, or the word "password," or something simple like "letmein"). But as these account takeovers have occurred more frequently, I've questioned my acquaintances about their passwords. Most have assured me that they chose complex passwords. So what else could be happening? I suppose keyloggers are not out of the question, but the people I asked told me they run current antivirus software and keep their applications up to date. Perhaps the attackers are going after the password databases directly. But we're talking about major email service providers, along with other well-known places like Facebook. Could all of those providers have been breached and their password databases stolen? Or maybe the attacks are against the password reset mechanisms. Who knows?

The only thing I know for sure is that passwords are being stolen, somehow. And the victims come to me for advice, regardless of whether they are friends and family or professional colleagues. What can I tell them?

The best advice I can come up with is to choose longer passwords. The longer, the better. I tell people to pick two or more words and string them together, preferably with a number or punctuation mark in between. This is commonly referred to as a passphrase, rather than a password (to distinguish the technique by its length). Time will tell how well this technique foils the attackers.

Frustratingly, I've found that my own webmail provider won't take a password longer than 15 characters, and my in-home network equipment (made by a major manufacturer) can't take more than 12. That seems like a foolish limitation, and it constrains my ability to mandate longer passwords in the workplace. I'd like to make a security policy statement about making the minimum password length more than the age-old eight characters, but first I'll need to find out what each technology will support. I'd like to require passphrases of at least, say, 16 characters at my company, but I can't do it if the limitations of the authentication systems we use will make my policy unsupportable and unenforceable.

Like most people, I have dozens of passwords to keep track of. With all the thinking I've been doing lately about passwords, I've decided to change mine more frequently, use a different password for every service, and make them longer and more complex. I've started using a password manager to do this. It's the only way. The trade-off is that I have a single master password with access to all my accounts, but the benefit is "password agility" -- the ability to quickly change my passwords, and limit the damage caused by a single password theft (unless of course it's my master password that's stolen).

Replacing passwords entirely would be a better solution, but as far as I can tell, the practicality of alternative authentication methods is still off on the horizon. Smart cards, tokens, code generators, out-of-band authentication via smartphone, and biometrics all seem like good alternatives. I'm wondering how much longer it will be before the major technology vendors and service providers will support those and we can all look back on passwords as a bad memory from a distant past.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

To join in the discussions about security, go to

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityapplication securityAccess control and authenticationtwitter

More about FacebookHotmailSmartTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place