Passwords are a problem
Passwords are a problem. There is a contradiction built into the very concept: they have to be too complex for anyone else to guess, but so easy we can remember them. As a result, we usually fall into one of three categories:
- we use weak passwords that we can’t forget but anyone can guess (not a good idea)
- we use strong passwords (a good idea) but write them down so we can’t forget them and other people can find them (not a good idea)
- we use strong passwords (a good idea) and forget them (not a good idea).
Using strong passwords is a very good idea; but the potential of locking ourselves out of our own systems is a problem that is only too often realised. And this has led to the development of an industry of legal (depending on where you live) password cracking products. One of the best known companies in this area is the Russian ElcomSoft, and it has just announced a typical new product: Advanced Sage Password Recovery. It is what it says, a product that will recover lost passwords for the Sage PeachTree Accounting System.
Advanced Sage Password Recovery supersedes Advanced ACT Password Recovery, a tool to instantly recover or replace passwords protecting databases created with ACT! Personal Information Management software manufactured by Sage. The new product adds the ability to retrieve passwords restricting access to Sage PeachTree Accounting databases, including Admin and all user passwords. With Advanced Sage Password Recovery, it just takes a few clicks to view a full list of Sage PeachTree Accounting passwords in plain text.
All user and administrative passwords protecting any version of PeachTree Accounting software are listed immediately in plain text. Advanced Sage Password Recovery supports all editions of Sage PeachTree Accounting including Pro, Complete, Premium, and Quantum.
Which means that it is a double-edged sword, or a dual-purpose weapon: if you can use it to recover your lost passwords, then so too can a bad guy use it to find your password. Now I am not for one second saying that such products should not be allowed: there is clearly a legitimate use for them. But I’m just asking, what is the point of a password so strong that you forget it, but so weak it can be recovered by a rather inexpensive commercial password cracker?
Like I said: passwords are a problem.