Best Password Practices Guide

One of the weakest links in most security systems, even today, are passwords. People write them down on sticky notes attached to their computers, or make their passwords so simple that with a little time, anyone can access their system.

As we rely on computers and the Internet more and more with our precious data, password security is only going to rise in importance. Many sites have long since enacted basic checks on passwords to limit the chance of a possible security breach. You’ve seen these systems in place before as they ask you for longer passwords, or to include certain types of characters.

They want you to use passwords that look like !qD7_8aC but you’ll never remember that. So how do you create passwords that aren’t easy to guess, simple to figure out and that you won’t have to write down to remember? Well, first we need to look at why passwords like the example above are so secure.

Weak Passwords: Dictionary Attack

safeCrackers (commonly labelled Hackers) will use a long text file with thousands of dictionary words most commonly used as passwords. Software will run through this list of words to see if your password matches. If it does, the Cracker will have easily, quickly and efficiently gained access to your data.

This is why we need to make sure we aren’t using words or names that can simply be found out by this type of software.

Words like password, school, and even psychologist are bad passwords. The length of the word doesn’t matter in this type of attack, so using longer words, or even combining two words may not keep your data safe from this type of attack.

Weak Passwords: Brute Force Attack

Another technique that Crackers will use is a system called brute force, and it is how it sounds. The software or system will go through all common permutations of letters until it hits on your password. Usually, the Cracker will check what the lower and upper limit for passwords are in a given website or computer system, as many set their minimum password length to 3, 5 or 8 characters, with a maximum length usually around 15 characters long.

Then the software will start at that length, with all “a’s” and continuing on until it gets to “zzzzzzzzzzzzzzz” and so even if your password is “ccradsae”, the top password crackers can break that in less than five minutes. Overall though, Brute Force cracking types of attack usually takes longer than dictionary attacks, but are also more likely to find a positive result, and this is where the majority of our modern password security techniques come into play.

Secure Passwords

With the example I gave above, !qD7_8aC, it isn’t a dictionary word or phrase, and so only a brute force method (given a limitation of the two tactics of course) would work in finding this password. But thanks to the capital letters, the numbers and the symbols, the number of characters the Brute Force Cracking software would have to go through in various permutations is so large that the person attempting to gain access would have to wait a very long time before the computer would come up with this set of characters, thus, we have security thanks to the high time required.

As computer systems get faster, it becomes more and more difficult to keep these passwords secure, and so many companies are looking for a better way of managing user security, but until that happens, we need to protect ourselves.

Making a Secure, Easy to Remember Password

Coming up with a fairly secure and easy to remember password might seem difficult, but there are some easy things you can do to improve it.

First: The more characters the better. Take one or two words. (simplepassword)
Second: Use both uppercase and lowercase letters (SimplePassWorD)
Third: Replace vowels with numbers (S1mpl3P4ssW0rD)
Forth: Add symbols to replace letters or to insert between words ($1mpl3!P4ssW0rD)

From what I’ve read, a password like $1mpl3!P4ssW0rD would take a minimum of three months using a super computer to crack through brute force methods used today. With computers getting faster and smarter, I have a feeling, even a few years from now, a password like this would still take weeks or months to crack.

NOTE: You can’t just use one of the above mentioned techniques. PassWorD is not a secure password, neither is p@ssword or p4ssw0rd. It is the combination of the above techniques that help create a more secure password.

Changing Your Password Often

crackerThis of course brings me to my next point, if you are smart, you’ll change your password fairly regularly. It doesn’t take much to take one or two important words or a short phrase, and convert them through replacement to become much more secure while remaining memorable, but even with all the previous steps, if you give a person enough reason to make the attempt, and they are persistent, then they’ll eventually find your password and gain entry.

But, if you change your password in the midst of their cracking attempt, you are basically putting them back to square one, and they have to start over again.

Different Passwords for Different Sites/Computer/Services

The last thing that people should be concerned about is the use of the same password on multiple sites. Not all sites, computers and services secure your information as well as others. This leads to the possibility that one site may accidentally give your password out to the wrong person. If this happens, and you use the same password everywhere, you’ve instantly gave that person access to everything you have protected under that password, and using the information they gleam from various sites and services, they may be able to get more passwords on other sites and services.

Trying to figure out an easy way to make new passwords for each site? Try adding a unique identifier. For Gmail, add gM to the start or end of your chosen strong password. For Twitter, add tw33t or t!. Then you’ll be able to have one main secure password with different identifiers based on the site.

So a password like: My#p4s$ becomes My#p4s$gM for Gmail, and My#p4s$t! for Twitter. Be aware of the upper limitations of the sites you use, as if you are limited to 16 characters, you can’t use something like $1mpl3!P4ssW0rD as the prefix for your identifiers as $1mpl3!P4ssW0rDgM is too long.

Some Good Password Examples

Just looking around at various objects, it can be very easy to create a password that is secure and easy to use.

Pr!ngl3sC4nn (Pringles Can)
d13tC0c4^c0l4 (Diet Coca Cola)
St4rG4t3& (Stargate)
c3lL#pH0n3 (Cell Phone)

Conclusion

Be aware that selling your data online and from your computer is big business, and it is up to you to protect yourself.

In the end, you need to select strong passwords, change them often, use different ones on different sites, and stay apprised of security issues with the sites, services and computers that you use. I hope you all take the time to beef up your password security and are able to stay safe.

Related Posts:

  1. Computer Purchase Guide

Comments

  1. Amanda says:

    I’m not good in remembering password, so I use Sticky Password. This is a great solution and it includes the Password Generator for very very strong passwords, that are unable to broke. Just have a look at http://www.stickypassword.com

  2. Diego says:

    I really enjoy your article and have recommended the same on my site. I have also gotten really used to lastpass addon. It is a password keeper that can generate new passwords for each site and then keep track of them.

  3. I really don’t recommend password managers if you can avoid them. There are a few ways that others can get your passwords from your computer, and so storing them in one spot, with only one password to crack to get access to everything, including which places you have accounts at seems a little counter-security to me.

  4. Jeff says:

    You, and most other “Security Fanatics”, are making mountains out of molehills. YOU at least seem to be aware that it is, cumbersome at best, having to create, and remember, “strong passwords”. Although your suggestions for managing multiple strong and secure passwords sounds easy enough to do, the vast majority of users simply cannot do this. Ask any IT person manning a Helpdesk, the #1 “petty problem” is people not remembering passwords, and thus getting ‘locked out’. The solution lies not in creating ever stronger passwords, but in strenthening the networks’ access points, thus eliminating the need for the users to have passwords. As you alluded to, computers get faster, so passwords must get stronger. Doing the math however, given the current rate of processing power and speed increases, by about 2020, computers will be powerful enough that ANY password can be broken within about 30 seconds. (That is, any password that falls within the limits of most humans memory) Now for the coupe de grace, “Crackers” DON’T WANT PERSONAL INFORMATION ON INDIVIDUALS. What they want is access to the computer networks of big corporations. The personal individual is “small-fry” and not worth the time it takes to get their information. Contrary to newsmedia reports, “identity theft” is not a “huge” problem. To date, there have been less than 300,000 actual, provable, cases of Identity theft. And the media claims this is a “Trillion dollar business”. Yeah, right, I guess if all 300,000 of those people were billionaires and the thieves stole it all, then OK. I have been on the “internet” since WAY before there was a “World Wide Web”. I first got “online” in 1968 through ARPANET. to date, I have never, ever, not once, used a password to secure my computer or the data on it. I also do not use anti-virus software. I have not had my identity ripped off, and I have never contracted a ‘virus’. I’ve already told you why, the thieves don’t want me, they want Big Corporations. But why no viruses? because the virus authors are on ego trips, their challenge is to ‘crack’ into protected systems. Mine’s not “protected” so it is essentially invisible to them. (And to be clear, “no viruses” does not mean no Trojans, Spyware, or Adware, those generally are not after anything other than your surfing habits, and everybody gets those, even me.)

    • I agree with you that personal passwords aren’t what crackers, hackers and thieves want, but these ideas, and techniques are still smart because it gets people in the right habit which will hopefully translate to their work passwords and more.

      I am pretty lax as well when it comes to passwords for my computer, files, and personal stuff.

      The flip side though is: just because you’ve never had any issues, doesn’t mean no one has. The exception doesn’t make the rule, and bringing people’s attention towards secure passwords doesn’t seem like a negative thing to me. Maybe people won’t go to the extremes of creating the most secure password, but even just remembering to add in some capital letters or some numbers would be a smart start for most people.

  5. jan_geronimo says:

    I like your tip about incorporating password hints for the user to make it easy to remember for him, but otherwise look difficult for a password cracker. Great advice here.

  6. valk says:

    Erm… you know that most dictionary attacks today include 1337$p3@K (leet speak), aka they will easily crack passwords composed of dictionary words, even if you replace a few letters with something else… Sure, it is MORE secure then a plain dictionary word password or qwert but still…

  7. Marcus says:

    The most important point made is not using the same password for everything. Most website password systems protect themselves from attacks of this kind but there are other points that passwords can be attacked or obtained so make them different and you lock down the attack points. Different systems = different passwords, WEP, WPA, Computer Access, websites, Simples, and attacks like Brute force can result in retaliation sometimes smooth wall AI style automatically locking down IP’s, MAC addresses, ports, freezing accounts, blacklisting ect.

Speak Your Mind

*