Most of us have to use a wide variety of computer systems to keep up
with the information produced by basic day to day tasks. Shopping, banking,
dealing with e-mail, telecommuting-- all of these tasks require some sort
of identification, usually coming in the form of a login and password. Some
of this information is more sensitive than others, and the sensitivity of
what is protected by the password is directly related to the strength of
the password required to access that system.
There are a few basic rules to remember, regardless of what services you
are using that password to access.
Never re-use passwords.
Don't use the same password for two different systems, no matter how
much you like the password. Don't re-use old passwords that you've
used in the past. Some malicious user may have acquired your password
from some other site, or from some time in the past, and may only now
be getting around to trying it out on the very site you just re-used
that password on.
Never use ridiculously simple passwords.
Dictionary words, including foreign dictionaries, are remarkably
unsuitable as passwords. If the attacker is good at hiding their failed
login attempts, it can take as little as five minutes for an attacker
to exhaustively attempt every known word (and several dozen permutations
of each word) against a single login. In this situation, you may as well
have no password at all. Other examples of ridiculously simple passwords
include moldy oldies such as aaaaaaaa or 12345678.
Will your proper name spelled backwards make a good password? No. Neither
will your proper name spelled forwards. A little common sense goes a long
way here.
Never e-mail your password.
As with rule #2, if you insist on e-mailing your password, you may as
well have no password at all. If anyone was doing even a modest amount
of eavesdropping on either end of the e-mail loop, your password is
now known to a third party. Even if someone "official" asks you to
e-mail your password to them, don't do it-- chances are, the person
making the request is an imposter, or is otherwise waiting to intercept
your password.
Don't store your passwords in written form.
If you're having problems remembering your password choices, perhaps
you need to work a little harder at crafting a password (or password
scheme) that is more memorable for you. Writing your password on a
sticky-note that sits in your desk drawer is about as effective as
storing your spare house key under the front doormat. If you need to
write it down for the first day or two while you get used to it, that's
one thing, but long term storage is another matter entirely.
Now that the badgering is out of the way, how about a few tips?
A little complexity goes a long way.
If someone is trying to guess your password, you want them to have
to guess from as many different choices as possible, right? There are
two ways to increase the complexity of your password: variety in
the characters used in your password, and password length. If we think
about the numbers, the password complexity is related to the number
of characters to choose from, raised to the power of the length of
the password. For example, an eight-character all lower-case password
has 26 raised to the eighth power possible combinations-- some 200
billion possible choices. A reasonably fast computer can exhaustively
check all of these passwords in a week. What if instead of all
lower-case, you do lower-case and upper case? With that small effort
on your part, there are now 52 to the eighth possibilities-- some 50
trillion different passwords. That puts us in the neighborhood of 13
years to exhaustively check. You can imagine how it improves from there
if you toss in a number or some punctuation, or use a longer password
when possible.
Construct your password from a memorable phrase.
Maybe a phrase from a favorite song, or a memorable quote. Take a
letter or two from each word, introduce some punctuation, maybe
a number or two, and presto! Instant password. For example, if I
take the phrase "Construct your password:" C0nYRpwd. While
there's no punctuation in that, there's no immediately obvious
structure to it, which is what really counts when it comes to someone
randomly guessing your password.
Use a system to remember passwords across multiple sites.
You have logins on six or seven different machines, and you want to
be good and not use the same password on each system. One simple and
effective answer is to have a system of passwords that you can memorably
relate to each system. Maybe the passwords are long enough that you can
incorporate the name of the system into your password somehow? For
example, you have the password grb$n0ut, which you want to
use on the hosts larry, curly, and moe.
These systems allow password lengths up to 72 characters, so you decide
to go with: grb$nlarry0ut, grb$ncurly0ut, and
grb$nmoe0ut. Your original password was "garbage in, garbage
out," but you inserted the host names such that the passwords are now
"garbage in, hostname out." If you have no problems remembering the
original password, you'll be able to remember the entire scheme.
Try typing your password before you decide.
It stands to reason that you may have to type this password somewhat
frequently over its lifetime. Perhaps you may want to make sure that
it isn't murder on the fingers to type before you set it, rather than
after. One helpful way to add complexity to a password and keep it
simple to type is to batch together your use of the shift key for
capitals or punctuation-- if you are going to have three characters
that require you to hit shift to type them, typing your password gets
a whole lot easier if those three characters are all in a row.
Last modified on Wednesday, 18-Feb-2004 16:26:33 PST
