So I had a debate with my wife and father in law the other day.  They insisted that his 2 month old HP laptop with Vista HOME was broken. He had just started staying with us after being in the shoe-horned suburbs of Las Vegas for about a year. Seriously those houses are WAY too close, anyway, it went something like this…

Me:       How is it broken?
Them:  We can’t get to the internet.
Me:       Well how do you usually get there?
Them:  We just “click on the internet”
Me:       Please show me.
Them:  “Double clicking on the Desktop Internet Explorer icon”
Me:        You need a connection to an ISP before IE will work.
InLaw:   I always have a connection to an ISP, I just have to boot.

At this point I understood what was confusing them, and it struck me as a scary thought.  They were so used to the prevalence of unsecured Wireless Routers in suburbia, it made more sense that the laptop was broken then there happen to be no wide open Wireless internet signals in range.  It goes to show how accommodating Windows is when it detects a Wireless LAN, it simply connects so the user doesn’t have to do anything but “Click on the Internet.”

   I hear the new routers you get are starting to come out with Pre-shared Keys already defined and “SecureEasySetup” technology which is good, hopefully they are all WPA and not WEP.  But that doesn’t change the fact there are tons of them already out there just waiting for someone to boot up.  Now I’m going to surprise you and not go on a diatribe about why you should lock down your Wireless router, isn’t the fact that someone else is using your $40 / month connection enough?  Linksys has some flash video targeted at the average home user on how to setup WPA, MAC filtering, SSID broadcasting, etc  here is a link.  Remember your security is your responsibility, in other words you reap what you sow.

I really wish people would stop complaining about creating passwords.  All it would take is a shift in thinking.  If I may be so bold, consider this, your passwords are the most important thing standing between you and anyone, in any country, doing anything you can!  Reading your email, accessing your files, changing the locations of your money, etc.  I submit that you should think of passwords as virtual keys to your house, would you want anyone else to have the same key to your house as you?  Probably not. 

    Now to complexity,  the most important thing when making passwords is length.  Sometimes that is considered a part of complexity, sometimes not, but in reality it trumps everything.  And by complexity I mean Uppercase, Lowercase, Special Characters, Numbers, etc… For example, I’d rather have a 10 character alpha password then a 6 character alphanumeric password.  A Securityfocus thread in August 2007 brings up some interesting mathematics involving the ancient (NT4 sp2) passfilt.dll that M$ stubbornly refuses to update at least in a currently released OS.  This dll creates the restriction that passwords must be 6 characters and contain 3 of 4 categories (upper,lower,number,special) among other things, M$ article here.  The posters debate about how these M$ restrictions may actually lower the possible number of passwords a cracker would have to try as opposed to having no requirements at all.  While I don’t feel comfortable, or motivated, to get into the mathematics I think a good point to remember that length trumps any argument about variation of password makeup.  Although it is not commonly accepted by the army of “pay me now” government regulation auditors, and even many “old school” directory administrators.  I recommend concentrating on length as opposed to only passfilt.dll restrictions.  Unfortunately companies often need to be more concerned with those auditor’s blessings then InfoSec guys like me. 

    The problem in my opinion is about being blinded by the mathematics while ignoring common sense.  Yes a 6 character alpha password has 308,915,776 possible combinations (26^6 = 308,915,776), and since it locks out after 3 attempts and 3 - 308,915,776 = impossible.  But you can manipulate statistics & mathematics to prove many falsehoods, did you know 4 out of 5 people think the fifth one is an idiot?  My point is malicious users love administrators and auditors who believe such logic, because they are forgetting about the weakest link in the InfoSec world.  The average user (no offense).  Such logic does not apply to them because is assumes a completely random 6 character password where as users will pick anything but, can you say 123456? “That’s Amazing! I’ve got the same combination on my luggage!” 

So longer is better, the next time you have to change your a password, try something like this “Wow, I loved going to Pacific Beach that 1 time”  You, your data, and your company’s network will be MUCH better off.