Cryptic Military Password Requirements

Just a few notes here for an unnamed (non-secret) military (ending with .mil) website. The sole idea of this post is to briefly articulate how "strong" of a security password is required, that is, until everything moves to requiring a physical, smart card + card reader.

(The following is not word for word, but just the general idea in my own words.)

Here's what is highly recommended (read: required) by the site:
- Up to 55 characters.
- Contain 2+ of each of the following
   - UPPERCASE letters
   - lowercase letters
   - symbols   - numbers
- NOT contain:
   - Any self-identifying information
   - Words that can be found in the dictionary (thus preventing dictionary attacks)
   - Common passwords, like "password", "654321", "abc", "qwerty", "asdfghjkl;'"

And, now the special considerations:
- Password lasts less than six months
- Can't reuse passwords
- Passwords must be significantly different from previously used ones

The above is all true.

Now, how does one remember this obfuscated password?

Well, one idea is to write it on a sticky note and put it on the computer. (Please don't do this). Another idea is to not remember the password and deal with possibly a weaker route of just knowing a few pieces of self-identifying information for a call or automatic password recovery system.
Two more bad ideas for remembering complicated passwords to a secure system:
- Using a third-party password solution
- Save in a plain text document
- Save in an encrypted document with the decryption key on the same machine

ps - Post purposely vague and without a final conclusion. It is my hopes that readers will find more reputable sources than a random blog on the Internet to read. Here's a good mostly-unbiased start: https://www.google.com/search?q=what's+a+safe+password

~ Danial Goodwin ~

pps - If you would like to know more about security for URLs, then check out my post from two years ago that still holds true today: http://blog.simplyadvanced.net/what-you-dont-know-about-urls-and-how-you-will-be-tricked/

No comments: