The stronger your passwords, the more secure your system is. In the SQL Server space, many exploits take advantage of weak or nonexistent sa passwords—which is why Microsoft made the default installation of SQL Server 2005 supply an sa password by default. However, for end users, strong passwords are a two-edged sword. Although strong passwords make for better security, the stronger the password, the more difficult it is to remember. In user workspaces, you inevitably see sticky notes full of impressive-looking, difficult-to-remember passwords—attached to the edges of monitors.
A study conducted by researchers at the Cambridge University computer lab both confirmed and debunked several common beliefs regarding user password selection. This study compared the value of strong random passwords with mnemonic-style passwords. A mnemonic password is a word you construct by using the first letters from a sentence. For example, "My 1st mnemonic password is cool" would be "M1mpic." The first finding confirmed what we all know: Users have trouble remembering random passwords. Sixty-six percent wrote down the random password to help them remember it. Next—no surprise here either—the study confirmed that passwords based on mnemonic phrases are harder to guess than passwords that users select from common words or names. The researchers cracked 32 percent of such user-selected passwords by using simple dictionary and brute-force attacks.
The Cambridge study also debunked several myths about users and passwords. First, it showed that randomly generated passwords aren't stronger than mnemonic passwords. The successful cracking rate for 6-character passwords of each type was roughly equal. Another myth that the study disproved was that mnemonic passwords are harder to remember than passwords that users select based on common words. As measured by administrative password-reset requests, mnemonic and user-selected passwords had about the same reset rate. However, randomly generated passwords needed resetting 8 times as often. You can find the Cambridge study at http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf.
However, several pieces of compelling evidence suggest that pass phrases give better security than even strong passwords. Pass phrases differ from mnemonic passwords in that they're full words and contain spaces. The pass phrase "My 1st mnemonic password is cool" is 27 characters, versus the 7-character derivative. Windows and SQL Server both support pass phrases. Windows allows 127-character passwords, and SQL Server's mixed-authentication mode supports passwords of 128 characters. Passwords, though shorter, can be cryptic—especially strong passwords that combine upper and lower case letters, numbers, and special characters. Pass phrases are longer but easier to remember. As a rule, longer is stronger, so the length of pass phrases makes them more difficult to crack than passwords. And because the phrase means something to the user, it's less likely that the user will write it down.
Strong passwords are certainly better than weak ones, but it's time to consider pass phrases as an alternative to passwords. In the technology game, people and processes almost always trump technology. Pass phrases strike a good balance between usability and security. They're long enough to provide good security, yet friendly enough that users will remember them more easily than stronger but complex and meaningless passwords.
