This is a little like asking “how long is a piece of string”, except that in this case the string may already be a lot shorter than you imagined. Passwords are often the bane of the IT helpdesk.
The majority of support requests involve lost or compromised passwords. Automated password management systems go some way to alleviating the problem by allowing (or forcing) users to define new passwords with rules to make the passwords stronger.
IT systems can be set up to make passwords automatically expire after a given period. But there’s one problem that none of these solutions tackles.
The basic problem is that so many passwords are static. Even regular password changes result in yet another static password. Static passwords are eminently crackable. Increasing the frequency at which they are changed can reduce the risk that a hacker cracks them.
However, given that a cheap PC running a publicly available password cracking application can today attempt 8 million password combinations a second, it’s clear that risk rises rapidly with lengthening windows of static password validity.
So, is it enough to reduce the window down to a level at which cracking attempts are likely to exceed the time available? In a sense, this is the idea behind dynamic passwords, which change every time a user logs into a system.
Such a dynamic or one-time password (OTP) can be generated in several ways, none of which involves any manual intervention by the user. The device the user uses to login can negotiate the password with the server, using shared, but secret information; a new password can be generated according to the date and time; and so on.
Each time, the password may only be valid for as little as 30 seconds, after which a new one will have to be generated, if the user has not already logged in. Added security and reliability are two of the advantages. Not to mention the elimination of passwords like “secret” or “123456” scribbled on sticky notes and stuck on users’ PC screens for all to see.