Menu
February 4th, 2006
We all know that we have too many passwords. Between pin numbers, e-mail, online shopping, voicemail, company networks, home security and various memberships the number of passwords we have to remember is staggering. I personally counted 38 activities that require passwords on a regular basis, as in at least once a week. Sometimes I get so bogged down I think I need a password just to get out of bed. But this is how it goes, with the ability to access and store information in more places, passwords are not going away anytime soon. With the acceptance that you need passwords I hope that this article will help you understand what sort of attacks your passwords will have to endure and why it's important to have a strong system for creating them.
Back in the day, which in computer speak is 15 minutes ago... well lets say 15 years ago, it seemed like the biggest threat against your passwords was another person expertly trying to crack it by combining your maiden name with your birthday and the word 'sex'. Today the intent is still largely the same but the tools are a lot more powerful. Instead of a person taking the time to personally get to know you and guess how you've strung together your password they've employed computer programs and viruses to do it for them. The software I use to test my systems utilizes complete dictionaries from 40 languages and has the ability, with enough time, to try every single combination of letters, numbers, and characters. Isn't that neat?
Before I give you guidance on how to develop a strong password system you should understand what many hackers are after so that you have proper incentive. When looking at pin numbers, online banking, and online shopping codes it's pretty obvious they're after money and things. When it comes to computers however, many times the interest is not in you per se, but the resources you have access to. Your e-mail for instance is on a server with loads of storage. If they can crack your account, perhaps they could use the space to store things or execute a program that will remotely do dirty work for them. Same goes for your company network, they probably don't know who you are, what you do or even care, they just know you have a nice server and fast internet connection that they sure would like to use.
Don't wipe your brow yet though, because a hacker secretly using your resources is about the nicest thing that can happen when your network or e-mail security has been compromised. Think of all the information that can be obtained by an identity theif with access to your e-mail. As an example: If you've flown Northwest Airlines your entire NWA account can be compromised by having access to your e-mail. Northwest will kindly e-mail you your frequent flyer number and current PIN. Now your NWA account can be viewed, which will reveal partial credit card numbers (a common security verification for other websites), when you're flying out of town (in case they want to rob you), easy miles redemption (in case they want to fly somewhere with your miles), and don't forget that NWA pin number... hopefully it's not the same one you use for your ATM, voicemail, or other websites. And if someone can read your e-mail they'll know where you shop online to try logging in there. As if this example isn't incentive enough, let's not forget that not only can they read your e-mail, but also send it on your behalf.
I've been referring to creating a strong "password system" because it is not good enough to come up with a single superstar password for everything you do. Different activities have different risk exposures. For instance, your online bank account is much more important than your joke-of-the-day mailing list account. As such, the bank is going to be much more careful with your information than the jokesters. It does not make sense to use something as important as your banking credentials on the insecure, run by an amateur joke-a-day website. Instead, the idea is to come up with a system for creating strong passwords for yourself that is predictable to your brain, but seemingly random to other people and computers. Don't worry, it is easier than you think.
First, follow these strict rules:
A strong password must:
1. Be at least seven characters long. The longer the better.
2. Contain characters from each of the following three groups:
| Group | Example |
|---|---|
| Letters (uppercase and lowercase) | A, B, C... (and a, b, c...) |
| Numerals | 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 |
| Symbols (all characters not defined as letters or numerals) | ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] : " ; ' < > ? , . / |
3. Have at least one symbol character in the middle.
4. Be significantly different from prior passwords.
5. Not contain your name or user name.
6. Not be just a common word or name.
Now learn "The System":
Try to create a stream of thoughts to generate your password. For instance, think of 3 favorite things:
Car: BMW 545i
College: U of M
Game Show: Wheel of Fortune (WoF)
All of these items are connected by only 1 thing, they're your favorite things, but using the rules above can be spun into some very difficult to crack passwords:
545i-UofM :: Strong
BMW-UofM545i :: More Strong
BMW-UofM545iWoF! :: Very Strong
BMW-UofM545iWoFortune! :: Super Strong
You could to this just as easily with thinking of 3 things related to work
Address: 405 Main St.
Year Started: 1978
Favorite Desk Item: Hole Punch
405Main`78 :: Strong
405Main`78Hole :: More Strong
405Main`78HolePunch :: Very Strong
405MainSt.1978HolePunch :: Super Strong
Or even golf:
Favorite Club: 7-iron
Lowest Score: 83
Favorite Ball: Titleist Pro VI
7-iron83! :: Strong
7-ironPro-VI :: More Strong
7-iron83Pro-VI :: Very Strong
7-ironTitleistPro-VI83 :: Super Strong
Once you give yourself a stream of thoughts to work with you'll have an easier time creating and remembering your passwords.
The password examples above have different strenghts; the reason for this has to do with the bank vs. joke-of-the-day example earlier. It is important to assess what activities require different levels of passwords. In an ideal world you would be able perfectly remember unique super strong passwords for everything... well ideally we wouldn't need them in the first place. But memory is limited, you're going to want to use short passwords and you're going to want to use the same password for multiple things. You are not a bad person for doing this, I do it too, but help yourself out and assess the importance of the information being protected and assign an appropriatly strong or unique password. In general, minor memberships, newsletters, online games etc. should use your 'strong' password. Online shopping and things with credit-cards involved should use your 'quite strong' password. Activities that involve your social security number or credit-card being stored online in a profile should have 'very strong' passwords. Finally, your e-mail account(s) should have the strongest password of all and it should never be used for anything but e-mail, it is just too important.
