Those calls to change your password every month, or to add extra characters, really don't work. don’t work. And no matter what you do, your systems are less secure than you and your system administrator think they are. Little wonder that Sony, the Pentagon... and you... are easy targets. If you're using Web-collaboration CAD or BIM tools, you may want to re-think your password policies.

I’ll explain why, and what you can do to come close to maximum password security, with minimum effort. The single most important rule is to never reuse passwords. But there's more to the story than that.

With Autodesk WS (, Bentley Navigator (, and (as of September 20) Graphisoft BIMx ( allowing Web-based collaboration and open sharing of documents, it has never been easier to place files where they can be grabbed by unauthorized individuals.

Meanwhile, CAD vendors, who have long sponsored reasonably secure private collaboration sites for their own users, have a particular fascination with the iPad; many have released iPad tools since spring. But as great as the iPad is, graphics power is not its strong point. That means converting from working files into something the iPad can handle (and back again if you are using markup tools). Each step should require a different password.

BIMx is a tool for sharing designs among 750 million Facebook users, who can view them at and download them through iTunes. Will users fully understand the difference between BIMx and products meant only for confidential collaboration? As of now, if you want to share a BIMx model privately, you attach it to an email or use a generic sharing tool such as YouSendIt or Dropbox (where multiple users have access to a specific directory they “share”).

The danger goes beyond violation of client security requirements, especially since CAD drawings often carry spec sheets and other proprietary data with them. Design firms have seen their bank accounts looted by online thieves as well. Unlike consumer accounts, don’t expect the bank to give your money back.

Passwords are by far the weakest link in the security chain. It is almost impossible, for instance, to break WPA2—the best of commonly used WiFi encryption standard—by brute force. But passwords are billions of times easier to guess.

Those Passwords!

The advice here is based on two remarkable papers delivered at last year’s ACM (Association for Computer Machinery) conference on Computer and Communications Security. Both papers are based on test attacks against lists of real passwords (up to 32 million of them) that had already been hacked and posted by the hackers themselves. The papers are:


  • "The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis", by Yinqian Zhang and others at UNC/Chapel Hill. (See related links for PDF report).


  • “Testing Metrics for Password Creation Policies by Attacking Large Sets of Revealed Passwords,” by Matt Weir (now at MITRE) and others, see from Weir’s blog.

You must convince your system administrator (and clients who write security rules into contracts) that the password advice baked into virtually all security software—advice based on NIST Electronic Authentication Guideline SP800-63—is wrong.

NIST calculates “Shannon entropy” (the internal randomness) in passwords, and generates an “entropy score” to rank passwords by their toughness. You score 4 bits of entropy for the first character, extra bits for extra characters and even more bits for capitalization and use of numbers and special characters (like -,  _, ^). This is the over-optimistic calculation that sites use to rank your chosen password as you enter it, and to reject passwords it judges too weak.

Shannon entropy is not the same as “guessing” entropy, mainly because passwords tend to follow a pattern. Capitalization tends to be in the password’s first character. Numbers tend to be at the end of a string of letters, and so forth. Hackers also take advantage of “dictionaries” of common words and patterns. The letter “e” for instance, is by far the most commonly used character in English, and “1” the most common number. In fact, the 10 most common numbers and groups (in order, 1, 2, 123, 4, 3, 123456, 12, 7, 13, and 5) account for 26 percent of the numbers used in all passwords.

The requirement to add numbers to letters actually makes users less inventive; the top 10 number combos account for more than 36 percent of all numbers!

The papers show how easy guessing can be, given the common groupings. A password policy that meets the NIST Level 1 guideline should only allow an attacker to guess a password within the allowed number of tries with a probability of 1 in 1024 (1 in 16,384 for systems certified Level 2). But in Weir’s test nearly 1 percent of 7+ character passwords were cracked with just four guesses.

Weir says the NIST guidelines also drastically underestimate the security of many passwords that are resistant to an online attack. This leads to overly burdensome password creation policies that disallow many passwords that in practice would be secure.

Security improves if password policy includes a “blacklist” banning certain common passwords like abc123. But over time, this pushes users to adopt other passwords often enough to make them blacklist-worthy. So system administrators have to evolve their policies.

Also evolving: The need for you or your system administrator to understand Android and iOS (the iPad/iPhone operating system). A Microsoft certification for security is no longer enough.

Password Management Software Tips

You can keep track of those truly hard-to-crack %^&39Fd&!!! passwords with a password manager. Apple products have one built-in, and there are rudimentary password “remembering” functions in browsers. But for seamless functionality across all the devices you are using, here are some suggestions: -- Free, open-source.
-- Keeps track of your passwords and also keeps track of fill-in form data. – Password Manager comes in a free version ideal for smaller offices, and an enterprise version as well. -- For shops that are all-Windows, this freeware is terrific.

Steve Ross has served on various technical committees reviewing standards for data encryption on networks. He also notes that one of the first (if not the first) papers to study real-life passwords was written by one of his neighbors at the time, the late NSA cryptography expert and UNIX pioneer Robert Morris, in 1978. In a group of 3,000 users, a third of the passwords were vulnerable to a dictionary attack containing 250,000 words. When combined with a limited brute force attack, 86 percent of the passwords could be cracked. You can write him at