The Halfling-Dragon Principle of Password Creation | Tripwire

The Halfling-Dragon Principle of Password Creation

Posted on January 25, 2016
The Halfling-Dragon Principle of Password Creation
There’s an old principle in tabletop RPG (Role Playing Games) circles that goes something like this: If you find yourself in the company of a halfling and an ill-tempered dragon, remember that you do not have to outrun the dragon; you simply have to outrun the halfling. In the context of security and specifically password creation, this principle might be amended thusly: If you find yourself faced with password creation dialog, remember that you don’t have to make it more complex than what the miscreants can crack; you simply have to make it more complex than everyone else. I say this based on some distressing data points in the Passwords of 2015 [SplashData Blog via The Next Web]. “For three years running ‘123456’ has been the most popular found (and stolen) password on the Web followed, unsurprisingly, by ‘password.’” If we go back to 2008, do you know what the top two passwords were? I’ll give you three guesses, and the first two don’t count. Yup... ‘123456’ and ‘password’. For fun, I decided to hit Random-ize and see what they thought about the time it would take to crack these stunningly well-thought out passwords using fairly rudimentary brute-force algorithms. 123456? Less than a second. ‘password’? One whole minute and 13 seconds. Then I checked on my favorite password. (I will of course not share, but trust me, it contains an appropriate number of special characters and numbers.) The result? 57,337 years and 10 months. Another of my favorites? 1 day and ten hours. Either way, it seems to me I’m probably more than able to outrun the halfling who chose “password” to protect their personal and private information. I hope he tastes good with ketchup* cause the dragon is breathing down his neck. Why yes, that’s rather selfish, but I’m told breaking the fingers of people who create bad passwords isn’t an option. I’m just not sure what to do with these people any more short of refusing to create them an account if they try to use one of these ridiculously simple passwords. The password my 7-year old generated – on his own – contains no special characters at all. And yet according to Random-ize, his password would take 11 days and 8 hours to brute force. He’s seven, for crying out loud! So either SplashData’s demographics include a whole lot of young children or adults who don’t take the security of their personal data very seriously. I’m guessing it’s the latter. The problem is that we certainly can force people to create more complex passwords. We can put that halfling on a treadmill and condition him to run just as fast as we can, thus (hopefully) enabling us both to escape that ill-tempered dragon. But if you know anything about halflings, (You’ve seen LOTR at least, right?) then you know they aren’t exactly the “go to the gym every morning” kind of folk. They rail against it and they’re sneaking away. And when folks abandon account creation, the business starts looking seriously at reasons why. If it’s because the password creation rules are too strong—and they can tell because web analytics for marketing are very good about showing you at what point people abandon your site—you can bet they’re going to push back against it. And when the business stands up and demands a more relaxed policy, guess what IT does? We let the halfling skip the gym. I don’t know what else to do or say or suggest at this point. We’ve got nearly a decade of evidence that no matter how much we educate people, no matter how many accounts are hacked, regardless of how many technological safeguards we put in place, some people are still going to use ‘password’ as a password. It may be time (past time, perhaps), given the number of breaches and the increasing number of friends on Facebook that post “I’ve been hacked” messages, that “the business” re-evaluate its stance on allowing weak passwords at all. Because seriously, the fact that such simple passwords can be used points to a decision maker somewhere who decided to allow them in the first place. Yes, it can hurt conversion. Yes, it will initially lead to higher abandonment rates. But eventually, when everyone else in the adventuring party is at the gym, maybe the halfling will decide it’s worth it after all and at least make an attempt to improve the strength of their password. In the meantime, I guess there’s only one thing I can do, and that’s hit the gym and teach anyone who’ll listen how to outrun that dragon. *Yes, that’s another gaming reference, this time to a warning: “Do not meddle in the affairs of dragons for thou art crunchy and taste good with ketchup.”  
lorim-headdshot-2-120x120.jpg
About the Author: Lori MacVittie is responsible for evangelism across F5’s entire portfolio including a broad set of network and application security solutions. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine with a focus on applications and security. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!