Secrets to the best passwords
Variety makes them easy to remember, hard to guess
Computerworld - The use of good, hard-to-guess passwords can make it difficult for a malicious hacker to break into your computer account. Avoiding predictable keywords and using different methods to introduce variety into your passwords makes it easy for you to remember them but virtually impossible for others to guess them.
Here are some tips on creating winning passwords.
Use keywords related to a theme. Choose a common, significant event: a honeymoon, the birth of a child, a new car, a new job.
Example phrases associated with a birth might be blueeyes, hurry, onemorepush, crankyRN, coldbracelet, roomsix and icechips. Ideas associated with a new car could be deepblue, 6CDs, 5speed and TiresThatGrip.
The idea here is that you use a variety of words associated with an event that other people would not readily guess. Remember that you may also need to mix in uppercase letters and numbers when you create a new password. For instance, "hurry" could become hUrry66 or Hur5ry.
Substitute numbers for letters based upon their appearance. With a little imagination, you can visualize numbers that bear resemblance to letters.
When you create a password, substitute a number where a letter would appear, according to the chart above. Some examples:
- scuba becomes 5cu8a
- water becomes w4t3r
- icecream becomes 1c3cr34m
So when you create a password, carry out the substitution from the chart. Some examples:
- scuba becomes sc7ba
- purple becomes 07r0l3
- rocket becomes 49ck35
Consistently capitalize the nth letter(s) of your password. Some systems require that at least one character be uppercase. Many people capitalize the first character, but this is too predictable. Instead, always capitalize the second, third or fourth letter, or perhaps always the last or next-to-last. Some examples: huRry, roCky, puRple, roCket.
For further interest, you can capitalize more than one letter, for instance the first and third, or the second and fourth.
Avoid predictable week-to-week or month-to-month changes. One example of a predictable pattern to avoid: eyesJan01, eyesFeb02, eyesMar03, etc. If someone was lucky enough to discover your password long ago, you don't want him to be able to predict what it will be in the future.
|Peter H. Gregory, CISSP, CISA, is an information technology and security consultant, a freelance writer and an author of several books, including Solaris Security, Enterprise Information Security, and CISSP for Dummies. As a consultant he provides strategic technology and security services to small and large businesses.
He can be reached at firstname.lastname@example.org.
His Web site is www.hartgregorygroup.com.
Store passwords in Counterpane Labs' Password Safe tool. All passwords are encrypted with the robust Blowfish algorithm. A nifty feature of Password Safe is that when you double-click on a previously stored password entry, it silently copies it to the clipboard so you can paste in the password even if others are watching you type.
Check the quality of your password at SecurityStats.com. This Web site performs calculations based on the complexity and "guessability" of your password and tells you how good your password is. Remember that your password is transmitted over the Internet in the clear, so you should try similar passwords instead of your actual passwords to get an idea of the characteristics of a good one.
Adopt ISO17799 password quality guidelines. Ask the IT department to implement best practices for password management in accordance with ISO17799, a widely recognized information security standard. According to the standard, here are some guidelines for passwords:
- They should be at least six characters long.
- They should be free of consecutive identical characters.
- Don't use all numbers or all letters.
- Avoid reusing or recycling old passwords.
- Require that passwords be changed at regular intervals.
- Force users to change temporary passwords at the next log-on.
- Maintain a record of previous user passwords and prevent their reuse.
- Change all vendor default passwords.
- Eliminate or lock shared-user accounts.
Warning: Don't use any of the password examples that appear in this article!
A note about password length: Some information security (infosec) professionals will bristle at ISO17799's recommendation for a mere six characters in a password. Some have told me that six characters are insufficient, based on the time it takes to crack a password. My response is this: Typically, hackers don't care about the length of passwords when choosing to crack open a computer account.
Organizations are rife with guest accounts, group accounts, accounts with no passwords, a lack of password expirations, passwords that can be easily guessed and opportunities to exploit technical weaknesses or perform social engineering. With all of these easy opportunities, computer accounts with good six-character passwords are only a trifle weaker than those with eight-character passwords. My point is that infosec professionals need to focus more on the compliance of good user-account hygiene than on the length of passwords.
- Editor's Note: Tips From Security Pros
- The Story So Far: IT Security
- Know Thy Users: Identity Management Done Right
- Opinion: Feeling Insecure About Databases
- Evaluate Outsourcing Partners
- Strengthen Security During Mergers
- Thwart Insider Abuse
- Privacy Protection, Step by Step
- Plug IM's Security Gaps
- Boost Your Security Career
- The Almanac: IT Security
- Buffer Overflow
- The Next Chapter: IT Security
- Thwarting attacks on Apache Web servers
- Tips for Securing Your Windows Operating System
- The Hacker's Wireless Toolbox Part 1
- How to defend against internal security threats
- Ten ways to defend against viruses
- Decoding Mobile Device Security
- Five ways to thwart threats to your network
- Secrets to the best passwords
- Social engineering: It's a matter of trust
- Five tips for effective patch management
- Security Basics: Where to Start
- Steps to a secure operating system
- WLAN chip sets open a new door to insecurity
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts