|
Selecting A Good Password
By John Anderson
A good password
policy is the foundation for computer security, whether you are on a
network, accessing information on the Internet or protecting
electronic documents. If your computer is connected to a network, you
should use a complex password.
Why Are Good Passwords Important?
Constant attempts
are made to access computer networks. Attempts to connect to accounts
on network-connected computers are made by guessing usernames and/or
passwords using automated systems capable of attempting many thousands
of passwords in a short period of time. Unless a complex password is
used, those trying such “brute force” password-guessing routines can
break into an account with relative ease.
Programs are
available that act as electronic locksmiths. Hackers can download
these files from the Internet and share them with each other. An
account compromised in this way puts more than the data of the
affected account at risk. Most such attacks over the network are not
conducted to obtain the data of one particular user but rather to
allow further access to the overall system. An attacker might use one
compromised account to conduct other attempts to break into the system
with higher privileges, which if successful would put the security of
the entire network at risk.
Thus, by using a
complex password and protecting it, you are not only helping to
protect your own data but that of everyone else on the system as well.
“Complex” Passwords
First, let’s
define the terms “weak password” and “strong (or complex) password”.
Weak passwords are made up entirely of alphabetical characters or can
be found in the dictionary or are recognizable names. Strong passwords
use special characters and upper and lower case characters. The
addition of such characters significantly increases the time it takes
to crack a password.
-
“Why do I care
about time to crack?” - If your network is compromised, the first
step a hacker usually takes is to download the password file. This
file contains every username and password on the network, but it is
encrypted. The hacker must use decryption tools to learn the
passwords. The more complex the password the longer the tool takes
to crack it. The longer it takes the more time is available to react
to the intrusion.
-
“But I like
easy-to-remember passwords – I’m not choosing a hard one!” - Nobody
likes having to change their password or making it complex. However,
passwords are the defensive front-line that provides protection for
your account and the network. A poorly-chosen password equates to a
weak front-line and may result in the theft of your user account or
network downtime.
Here are some
suggestions for selecting a complex password:
-
Password should
be at least eight characters in length.
-
Password should
include at least one character from three of the following four
classes: lower-case letters, upper-case letters, numbers and
punctuation/special characters (e.g. $, %, &, etc.) within the
password.
-
Password should
not contain any words found in the dictionary, any part of your full
name or account name or other personal data such as date of birth,
license plate number, etc.
The Good News: Complex Passwords Can Be Easy to Remember!
You can create a
complex password that is easy to remember. All you have to do is think
of an easy to remember phrase or song lyric and base the password on
the first character of each word, then mix case and substitute a
number or special character for some of the letters.
Here are a few
examples of complex passwords that are at least eight characters in
length and contain at least one letter, one number and one special
character:
-
Change
Passwords Every Six Months to Be Safe = Cpe6m2*S
-
Use a Phrase
to Yield a Good Password = Uap2ya^P
-
Every
Password Must Be Eight Characters in Length = ePmb8c;L
-
Yankee Doodle
Went to Town = Ydw2#twn
Some more
examples:
-
Sugar and
Spice = sgr&sp1ce (&=and, 1=”I”)
-
Ravens =
R^veN$ (^ = “a”, $ = S)
-
I Want to
Sail the Seven Seas! = 1w2st7s!
-
Marathon
= m^raTh0n
To Protect Your Password
-
Don’t use the
same password for all the different places that require one. In
particular, don’t use the same password on non-secure web pages or
locations that do not encrypt passwords.
-
Don’t share it
with anyone or write it down.
-
Change it every
90 days.
-
Whenever
possible, only connect to a server using a method which does not
send the password in clear (unencrypted text). You can check this by
looking for the “https://” to the left of the website address.
What Should I Be
Sure Not
to Do?
-
Treat passwords
like Kleenex – don’t reuse it or share it with friends.
-
Don’t use words
from a dictionary (including foreign words).
-
Don’t use words
spelled backwards.
-
Don’t use parts
of your user ID, biometric data, family names, etc.
-
Don’t use common
acronyms (MSBA, NASA)
-
Don’t use the
examples from this article!
-
Don’t use a
Post-It note to save your password (a bad idea, be it hidden under
your keyboard or stuck to your monitor).
A good password is
more than just a complex password. A good password is one that is not
easily guessed but still easy to remember. It should be long and
should consist of letters, numbers and symbols but still be easy to
type quickly with few errors. It should have elements of randomness
that only a computer can provide while still having familiarity that
only a human can provide.
But the best
password of all is the one that the user chooses based on an educated
understanding of passwords - a password that is hard to crack but
never forgotten. |
