AT&T has a new password policy that forbids the use of certain common words in passwords, including some words of a colorful nature.
Yes, it reduces the number of possible passwords, but that isn’t exactly a bad thing.
What they are attempting to do–and I’m not certain they’ve succeeded–is steer people away from a small number–say, a million or two–very common passwords. There are tens of millions of possible passwords that people won’t use unless forced. Attackers will try the easiest couple million passwords first, in futility. So while this doesn’t make AT&T passwords uncrackable, it makes them much more time consuming to crack.
The Federal Government and Department of Defense have similar policies. Have you noticed that it’s been two months since a Federal Reserve password file was stolen, and you haven’t seen a list of common Federal Reserve passwords yet? It’s going to be a much more difficult password list to crack than the e-commerce leaks of 2012 were.
If the government is smart, they’re revising the password policy now, or moving away from passwords entirely, because once that database does fall, it’s going to make getting into other government systems easier, since most Federal agencies have the same password requirements.
So, as strange as it feels to be defending AT&T, they’re on the right track here. Banning all single-word dictionary passwords would be even better, and banning the use of the most common words entirely–even as part of a password–would be better still, but the latter measure makes life more difficult on users, so they might not be willing to go that far.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.