Choosing a Strong Password
I’m sure you thought that your dog’s name was an easy thing to remember when checking your email on a daily basis. Unfortunately, this is exactly what hackers and social engineers are counting on. Your password should have absolutely nothing to do with you on a personal level. That means no birthday, middle name, pet name, favorite food, or anything like it. In today’s social networking world, you give up your personal information voluntarily., so don’t rely on it to remember your passwords. Let’s begin with a few common complaints about complex passwords and find some reasonable solutions:
“If I make the password too complicated, I’ll never be able to remember it.”
Write the password down in a “password book” and keep it in a secure location. Never store your passwords and account information digitally (in a file on your computer), otherwise your password might as well be public information, because a single successful attempt to breach your firewall and gain access to your filesystem would also mean easy access to your passwords. Once you’ve referenced the book for your passwords a few times, you’ll remember them as easily as your ex-girlfriend’s phone number (which I still can’t seem to forget). Don’t write it down on a yellow sticky note and place it on your monitor or under your keyboard either. These are common places for social engineers to look (consider the film Terminator and the keys under the sun visor). Not being able to check your email until you get home to look in your password book is much better than leaving your password in an easily accessible place. If you’re going to do that, you might as well print your emails out and leave them on your desk. Never use complete words in your password, even if they aren’t english words. If you absolutely insist on using a word to help you remember a password, consider L33t.
“One secure password is good enough for all of my accounts.”
The problem with this notion is that different accounts use different security protocols. Some of your accounts may not accept more than alphanumerics (letters and numbers). Some accounts may store passwords in insecure locations, leaving you vulnerable every time you sign on. The best safeguard against this is to select a unique password for each account you have.
“I’ll just rely on a password generator to create random passwords for me.”
Generating your own random passwords really is more secure, because it’s based on algorithms that you create. It doesn’t have to be overly complex either. Consider this method: Open a book or other analog document that isn’t personal to you and select every 15th character (or every 7th. This number is random, but generally depends on average sentence length), whether it be a letter, number, or punctuation. Perhaps a mathematics or programming book. Even a cook book would be sufficient. Do this between 12 and 24 times, until you’ve found a reasonable character set. This blog would not be considered a particularly good dataset because it lacks a decent mixture of numbers and punctuation. In the first 15 characters, only one punctuation character appears (hnnci.taie). The longer the selected character string, the greater the variation of the string, allowing you to select a password from within he character string. For example, in the character string “Eqi%v3FW4)saI,vhe%G”, you could select the first 8 characters, or the last 8, or the middle 10 if you desired. Keep in mind that longer passwords are inherently more secure.
“How could they even guess my password? It’s not posted on my Facebook account.”
One type of brute-force password-obtaining method works like a tumbler, working on each character in sequence from the beginning of the password to the end. Most accounts have a minimum character requirement of 6, so modern tumblers don’t bother testing string lengths shorter than 6. Depending on the tumbler method, it may start with the string “aaaaaa”, or “zzzzzz”, or some obscure string based on an algorithm designed to guess obvious passwords, such as by comparing it first to dictionary words. Assuming the first method, a tumbler would be able to break the password “aaaaaa” on the first try. If the tumbler varied string length before characters, any number of ‘a’s would still require very little time to break. If the tumbler attempted capitalization of each character first, the password “Aaaaaa” would be defeated on the second attempt, and the password “AAAAAA” on the seventh (or much later, depending on the algorithm used). If the password contains only lowercase alphabet characters, which insecure passwords often do (and modern tumbler often attempt these combinations first), then each character will be one of 26 possible characters. A string length of 6 means 26^6 attempts are required to exhaust all possible combinations, or approximately 300 million. This may seem like a large enough number, but anyone with access to multiple machines can reduce the time required significantly. An alphanumeric password jumps the attempts to 36^6, or approximately 2 billion combinations. Allowing for capitalization effectively doubles the alphabet to 52, requiring 62^6 attempts to break a 6 character password, or approximately 57 billion combinations. Adding special characters to this (punctuation is one type) increases this number to around 91 (depending on the password protocol), requiring over 560 billion attempts to exhaust all combinations. Since password length increases the attempts exponentially, a bare minimum of 8 is the safest. Thusly, 26^8 is around 208 billion, which quite a deal larger than 300 million, and an extremely secure password might utilize any of the 91 characters 8 times, requiring 4.7 trillion attempts to exhaust all possibilities. This is why “chuckles” is a bad choice.
To sum up: create a randomized password with a bare minimum of 8 characters and utilize capitalization, letters and numbers, and random special characters such as commas and hashes and asterisks. Create your own from texts so that even the source of the password is obscured. Never store your password anywhere digitally and do not write it down anywhere but in one secure location, preferably in a book which only you have access to.