Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Understanding RSS
Digital ID Policies
Understanding VoIP
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2006 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« Off to Banff for WWW2007 | Main | Launching Book IT! »

Overdoing Security

I was registering for the FAA Medxpress program today. This program allows pilots to submit their flight physicals online. Once you’ve registered, the FAA requires that you change your password. Here’s the requirements for the new password:

You have accessed the FAA MedXPress site using a temporary password. You must change your password in order to continue.

Passwords must contain between 8 and 12 characters and include at least three of the following four character groups: English upper case characters (A through Z); English lower case characters (a through z); Numerals (0 through 9); Non-alphabetic characters (such as !, $, #, %). Passwords are case sensitive.
From FAA MedXPress Change Password
Referenced Mon May 07 2007 15:14:16 GMT-0600 (MDT)

This seems a little heavy. To be sure, there’s some very personal data stored on that form, but should I be allowed to know how secure I make it. I know…most people can’t make that determination well. But Google and others seem to have hit on a strategy to rate a password and tell you how good a password you’ve chosen. I’m curious how often people change bad passwords based on that feedback.

The problem with overdoing it here is that I’m not able to choose a password I’ll remember or even use the password generator bookmarklet. So, I’ll write it down and that makes it less secure.

Posted by windley on May 7, 2007 3:19 PM

See related posts:

 Share this article on Facebook
 Email this article to a friend
  Post this article to del.icio.us
 Format this article for printing
 Get the SNUrlfor this page

3 Comments

Comment from Eric Norman at May 7, 2007 5:08 PM

Steganography to the rescue!

Instead of writing it down, use something that's already written down. In this case, your pilot's license might be appropriate. Just come up with an easy to remember way of extracting password material from it. For instance, if you read the first letters of each word vertically, then the second letters, and so forth, you often come up with a sequence that appears random and also satisfies the password character set rules.

You might want to be a little more creative than that since the bad guys might read this comment.

Comment from William at May 8, 2007 11:14 AM

- this actually helps narrow the space required for password guessing algorithms

- channels an honest person's thoughts into tricks to generate passwords (using dictionary words but replacing the letter 'o' with the number '0' or throwing a single nonalphabetic character before or after said dictionary word)

- many people will write it down somewhere

- because of the complexity many people will decide to use the same password they use at another site (introducing a security dependency over which the FAA site has no control over)

- with an increased likelihood that someone will forget the password - it makes a password reset scheme a necessity. The password reset scheme then becomes the weakest link, as it is potentially susceptible to social engineering (phone call/fax auth letter on 'letterhead'/etc) , further reduces the guess space (what is your birth date, mother's maiden name, high school, etc.), opens up susceptibility to email sniffing or compromised email account weaknesses depending on the process used to send the new password or reset link, etc.

Comment from Phil Windey at May 8, 2007 12:25 PM

Yeah, I forgot to mention that they asked m for four, count 'em, FOUR! security questions and answers to go with them.

I think the password reset process involves a complete physical. :-)

Leave a comment

I encourage you to leave a comment below. Your email address will not be displayed on Technometria, but allows me to communicate with you directly. Your email address won't be displayed, but will be used to compute a MicroID for your comment.