This site is now AnswerTips enabled. Double-click any word for its definition.

How to Choose, Use and Recall Strong Passwords

This article is a slightly edited extract (Chapter 29: Passwords I—Choosing & Using) from Bill Hely’s security e-book The Hacker’s Nightmare. The contents are Copyright © 2004-2009 Bill Hely and all rights are reserved.

-oOOo-

In order to access private data on a protected system you are usually required to enter a Username and a Password. This is a necessary precaution to verify to the system that you are a person with legitimate rights to access that data.

While the importance of Passwords - and the importance of treating them with respect and circumspection – should be self evident, the important points are ignored so often that some repetition is warranted.

Here are the most important things to remember about Passwords:

  1. Do not tell your passwords to anyone. If you are asked by someone to reveal your password, say NO. There is simply no reason. The only person who might have the “right” to access your account using your own private credentials is an accredited System Administrator. If someone tells you he is an Administrator and needs to know your credentials, be very sure that you are absolutely certain you know who you are talking to. Take your guidance from the policies of online banking services: No one at their end knows your password; no one at their end can even look up your password; and no legitimate representative of an online banking service will ever ask you for your password. If a System Administrator really needs to access your account it’s a simple matter for him to change your password, log in, do what he needs to do, and advise you of the new password.
  2. Don’t write your password down on a Post-It note and stick it to your monitor, or anywhere else in your workspace. If you really need to write it down, put the note into your purse or wallet, but never anywhere on or near the computer. And don’t write on the note “My computer password”! There are plenty of ways to disguise what the note is about.
  3. Don’t save a password file on your computer in any sort of readable file. If you have a lot of passwords and can’t remember them all, write them down (see point 2 above). If you really want to save them in a file, use some secure form of encryption. Best of all, use a secure password manager such as RoboForm.

OK, so what about choosing the actual password itself?

If I had to make a rough guess, I’d say that 99.9% of the world’s computer-using population would immediately – and without any thoughtful consideration at all – choose exactly the sort of password they should not be choosing.

When creating a password, you should never choose a word or phrase that others could easily guess. Don’t use the name of your spouse, your cat, your street, or the manufacturer of your computer or monitor. In  fact, don’t use any meaningful word from the dictionary – they are easy prey for a hacker’s dictionary attack.

The best password is a long, random string of mixed case characters, numbers and punctuation marks.

If you really need something easy to remember, take parts of words and combine them into something that you can still speak, but that make no sense. Then attach a few numbers to complicate matters further.

What makes a good password?

In answering this question I think it helps to understand what makes a bad password. It’s been found that the worst of the most frequently used passwords are:

* god * fred
* password * master
* 111111 * boss
* The name of your organization, department, unit, etc.
* The names of spouses, boyfriend or girlfriend, pets.
* Anything to do with your address-home or work.

All of the above (and variations on them) are obvious and easy to guess or track down. That makes them, from a security standpoint, just plain stupid. Yet they are used by literally tens of thousands, if not millions, of people on a daily basis.

So what makes a good password? Three prime considerations are:

* Things that are not dictionary words (in any language).

* That do not repeat characters.

* That are long enough to make it hard to watch or attack using ‘brute force’.

Now I admit that while those are standard recommendations, those few pointers don’t help all that much, because it’s still difficult to understand what you should choose. After all, you still have to be able to remember the password.

The trick is to pick the right mixture of words/characters that make it impossible for someone else to guess or to discover by research. This is where the password system itself (i.e. the password field that you are required to fill in) may not help as much as it should.

Ideally a password field should accept up to 40 characters, and acceptable characters should be anything you can find on the keyboard. In practice you may not use all 40, but if you need to use a top quality password at least you have the option to do so. The problem is that all too often you’ll encounter password fields that stipulate “6 to 8 characters in length, no punctuation or characters other than letters or numerals”.

You need to pick something you feel comfortable typing, and which uses at the very least 8 characters – a character being anything on the keyboard, including all the non-alpha-numerics if permitted. The trick is to pick a couple of words you do know, preferably not related to each other, and add a few special characters to them so they are no longer dictionary words. Here are a few examples:

  • Table!house*
  • Knight(soil)
  • Dem0n**manager
  • TheWarOf1775
  • TailThe****donkey
  • N0thing failslike succe$$

The last is a common quotation (attributed to journalist Gerald Nachman) which is not usually a good idea, but it’s still hard to guess or attack, especially if you don’t know where the spaces are, or where letters have been replaced with other characters. An “o” can become a zero, for example, and the “$” sign is an obvious replacement for the letter “s”.

Passwords need to be changed from time to time and choosing a frequency also requires a little thought.

A password that protects something vital needs to be changed often, but you need to be able to remember it. Having a long, convoluted password generally means you don’t need to change it so often. So if you can cope with the typing, pick a long password and it can endure longer.

Unfortunately, as stated above, many systems impose a very short maximum length for a password field. This is regrettable and anti-security. A six-character password of upper case letters is a few seconds work for an experienced attacker with the right tools. Even using all possible characters, a length of six isn’t the job of many hours.

The inclusion of punctuation and other non-alpha-numeric characters makes an attackers job exponentially more difficult. In July 2003 a group of Swiss researchers published a paper on a method they developed for “speed cracking” Windows passwords. One thing that emerged from their work was that the inclusion of punctuation characters in passwords significantly increases the difficulty of cracking them.

Now, as I said earlier: You still have to be able to remember the password. The tips above should give you some ideas on how to construct a non-dictionary password that is easily remembered. That’s a practical approach for passwords in stand-alone programs.

For password-protected websites there is an infinitely better way, and I don’t mean using the same password or two for all occasions!

Earlier I recommended the installation of the utility program RoboForm, which has an excellent password generator. Here’s an example of a secure 32-character password generated with just a couple of mouse clicks (the figure below shows how it was generated – note how configurable RoboForm’s password generation is, allowing you to preset the maximum length and include or omit certain types of characters).

53^t5rouhhUnJK66zW%dBgua4S!oNVr6

On first sighting a really secure password like that, your reaction will probably be something like “Oh my goodness! How would I ever remember that?” The answer is…

You don’t have to!

As explained earlier, RoboForm is, among other things, a password manager. It remembers your passwords and the Web pages they are associated with, and offers them up as needed. The passwords that RoboForm “remembers” are protected by a single master password, which is the only one you have to remember yourself.

In the interests of your own security you must develop a healthy respect for the importance of passwords.

The example above is the sort of password you should be using to protect your on-line banking access (within the limits of the constraints they enforce as to character types and length), wireless router and the like.

Unfortunately RoboForm can only manage the passwords for web browsers, not separate, stand-alone programs installed on your PC. For stand-alone programs I urge you to consider the password creation techniques discussed earlier. They result in word and character combinations that are far from obvious, yet are easy to remember.

But for Internet password management look no further than RoboForm. It’s an incredibly useful application with so many uses. For example, it can also remember a lot of information about you, store it securely in password-protected “profiles”, and use that information to automatically fill in all manner of web-forms, an onerous task at times. If you haven’t already installed RoboForm, do so now. It really is a must-have  application that you’ll never regret installing.

-oOOo-

Leave a Comment

You can add images to your comment by clicking here.

{ 2 trackbacks }