Ten Steps To A More Secure Password

Tuesday, May 31, 2011

Global Knowledge


Article by John Mark Ivey

As a former IT Support Technician at a major metropolitan newspaper, I know how lax some employees can be when it comes to creating passwords.

Reporters are the worst, and ad sales reps come in a close second.

I made a point to preach password security to most co-workers I supported – especially those who dealt with personnel records, credit card info, and other potentially sensitive documents.

Below are some tips that’ll make your passwords a hundred times harder to hack whether you’re protecting your email, your work computer, your World of Warcraft account, or just your online banking access.

1 – Length Matters

Every character you add to your password increases its security by probably 1,000-fold. So your password is only four characters, huh? Now you’re just being lazy. Hope you don’t mind if a complete stranger reads your e-mail.

Though eight-character passwords are very popular, if you want to make a hacker’s life hellacious, create a 12 or 14-character password.

2 – Don’t Use Names

If I were trying to guess your password, my first guesses would be your name, your wife’s, your kid’s, and your pet’s if I knew you well enough or had access to your completely public Facebook account.

Admiral Barky is a great pet name, but as far as passwords go, it’s kind of weak, especially since Admiral Barky’s very own Facebook page is open to the public as well.

3 – Use Uppercase Characters

By using at least one uppercase character, you are ensuring the security of your password. If you capitalize a letter other than the first, which is the most popular of course, you increase your password’s security even more.

4 – Use Special Characters

You’d be surprised how much more difficult an asterisk, exclamation mark, or plus sign will make your password to crack. Let your inner geek muse go wild with choices like “linux+Penguin,” “BigB@ngTheory” or my probable future DC Online password “greenLan+ern.”

5 – Keep It Complicated

Essentially every word allowed in Scrabble, even if it contains the letters Q, K, P, or Z, is unusable by itself as a secure password. Ever thought about using “12345678” or “qwerty”? Well don’t.

The same goes for “password,” “internet,” “security,” and “letmein.” Even though I am a fan of the popular alternative “p@ssword,” add some numbers or an uppercase character to secure it further.

If you have used common passwords, it’s okay, most of your peers have done the same in the past. Just make sure it stays in the past because those weak passwords won’t last long against a determined hacker.

6 – You Can Never Use Place Names Again

You were born in Richmond, and it’s a fine city, but it makes for a bad password. I hear that Florence, Italy, and Florence, SC are both great places to live, but steer clear of place names when it comes to password creation.

Eight-letter words are very tempting, aren’t they Portland? But they are just too dangerous to use. I bet plenty of Atlanta residents use “atl30322,” the popular nickname for Atlanta plus the zip code. You can be more original than that. Show some creativity.

7 – Keep It Creative

Speaking of creativity, Green Bay and the Steelers had awesome seasons, but don’t do it. I’m a longtime Duke Basketball fan, but they’ve never made an appearance in my password tourney.

I like the Black Eyed Peas as well as any music act these days, though they’re better in concert than the studio, but that’s no reason to base my password security on them. But I have to confess that “Ferg@!icious” just might work.

8 – Numbers Aren’t As Secure As They Used To Be

There was a time when your birthdate would have probably made a fairly secure password. But not anymore. Same goes for your anniversary, the year you were born, your full Social Security number or the last four digits, a telephone number, and the aforementioned zip code.

Adding at least one letter to your numerical password is a good habit, just like one number or an uppercase character helps secure a password of mostly letters.

9 – Make It Memorable

When I used to be tasked with resetting passwords, I found that the users who forgot their passwords most often were the ones who were most likely to “dumb-down” their passwords. They gave up security for convenience despite having a readily available department on duty to reset passwords in an instant.

A secure password that is memorable is not hard to achieve with some effort. There has to be something with some associated numbers that has some meaning to you every time you stare at that empty password field on your computer screen even after a week’s vacation. Just don’t be tempted to ever write it down.

10 – Acronyms Can Help

How secure do you think “Idw2mmpw2l” would be? It’s simply the sentence — “I don’t want to make my password too long.” Memorable acronyms like “The quick brown fox jumps over the lazy dog,” resulting in “tqbfjotld,” would prove to be less secure than something random unless you throw in an uppercase letter, a number, or special character or two.

Actually, I came up with this method when a co-worker I supported “cns2rh@#$%pw”, or, in other words, “could never seem to remember his darn password.” Only slightly paraphrased of course.

Cross-posted from Global Knowledge

Possibly Related Articles:
Network Access Control
Information Security
Passwords Authentication Access Control Best Practices Security Information Security
Post Rating I Like this!
Vieri Tenuta Something that beats almost all password complexity requirements is the use of ASCII characters in your password. A favorite of mine is using the "ALT+255" space character within a password. It's completely identical to a space visually, but registers as a totally different character. In general, password crackers do not employ ASCII characters as part of the brute forcing techniques, effectively making them useless.

Additionally, adding ASCII characters increases the total number of available combinations exponentially, therefore making a longer period of time for a brute force attack to be successful.

Be weary of using these types of passwords on websites you log into on your mobile phones, as most don't have capability to insert ASCII characters without the use of a special "keyboard app".
an orion 7 and 3 kind of suck
you also glaringly omitted changing passwords frequently, and using different passwords for different services
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.