Create Strong PasswordsExamples of Threats:
-
When a password is stolen, a thief or hacker can easily access your private information and use your account.
-
Using the "remember password" function on your computer makes you vulnerable, especially if your laptop is stolen.
Our Tips:
-
Create strong passwords that use random combinations of uppercase and lowercase letters, numbers, and characters.
-
Use different passwords for each account.
-
Change your passwords every six months or so.
-
Do not use the remember password function on your Internet browser or other software programs.
Just about every account you access with your computer requires a password. In fact, you probably have to enter a password just to access your computer. Through the course of a day using your computer, you will likely access several programs or websites requiring a password. If you pay bills online, you will likely have dozens of accounts, each requiring a password. Here are some of the most common applications with password protection:
-
Logging in to your computer (Windows login)
-
Websites requiring a login account
-
E-mail accounts
-
Instant messaging services
-
Shared network files and directories
-
Broadband Internet account
-
Administrator access to your home network router
-
Wireless network encryption key (for example, WEP or WPA)
Because of the volume of passwords needed, most people create passwords that are easy for them to remember. The problem is that your password is the last line of defense protecting your personal and financial information. Chances are that your passwords are weak, meaning they are easy to crackand we mean really easy. In this chapter, we explain the difference between weak and strong passwords, and we show you how to create strong passwords that are both hard for others to crack and yet easy for you to remember.
Anatomy of a Lousy Password
Before we get started on how to create a hard-to-crack password, let's look at the type of weak passwords that are overused and easy to break. How easy you ask? Well, there is a free and easy-to-obtain program called Crack that can be used to systematically attempt to guess your password, trying out millions of passwords in a matter of hours through the use of an internal dictionary. This dictionary checks against every known word, in just about every language, with all standard manipulations, including character replacements, common misspellings, and letter reorderings. It also checks against names in every language (including the Chinese phone book). If that were not bad enough, it also checks against common character patterns, fictional characters and places, and every real place in the galaxy that has a name. In addition it also checks every date in every format. In other words, if it is a person, a time, an event, a place, a thing, or even a thing's place, or a person's thing, it is a bad idea to use it as a password.
Hackers use programs such as this to conduct what are known as brute-force password attacks, meaning they use a program to keep trying password after password until they get a hit. Weak passwords make it much easier for such attacks.
password | This is not clever. Do not use any known words, especially this one. |
wordpass | Also not clever and easily cracked because it is made up of common words. |
drowssap | Crack (and other programs like it) checks for words written in reverse. |
Pa$$word | Crack (and other programs like it) checks for character replacements. |
passwurd | Crack (and other programs like it) checks for misspellings, phonetic or otherwise. |
Password49 | Adding numbers to the end of a word does not make a password harder to crack. |
123password | Prefixing words with numbers does not make a password harder to crack. |
wachtwoord | Using Dutch (or any other known language, including Klingon and Hobbit) does not help. Crack checks them all. |
12345 | This is just something an idiot would use on their luggage. |
lkjhgf | This is a consecutive string of keyboard characters that is easy to crack. |
14159265 | Any nonsequential, but algorithmic pattern is easily cracked. (This is the first eight digits of pi to the right of the decimal point.) |
abbcccdddd | Any repeating pattern is easily cracked. |
mrsmee | Crack (and other programs like it) checks for literary characters. |
lordnelson | Crack (and other programs like it) checks for real people and historical figures. |
1600pennave | Do not use real addresses. Crack (and other programs like it) checks for them. |
22 BakerSt | Crack (and other programs like it) checks for fake addresses, too. |
Raleigh | Do not use real places. Crack (and other programs like it) checks for them. |
munchkinland | Crack (and other programs like it) checks for made up places, too. |
| No password. Although this may be convenient for Windows login, it is ill advised. |
These are just a few examples of weak and easily cracked passwords. In general, if you use something familiar to you, Crack and other programs like it will figure it out. Also, you should never use personal information such as dates, login names, Social Security numbers, or any other number associated with you for your password.
Now that we have probably convinced you to change all your passwords, let's look at what it takes for a password to be considered strong.
Elements of a Strong Password
In a few words, a strong password is a random bunch of letters, numbers, and characters, usually eight or more digits long. The eight-character thing is really about the math and not a hard-and-fast rule. In fact, the more digits, the better, but only if the password is truly random. Let's look briefly at why random passwords are so hard for Crack to break.
Assume for a moment that you have a completely random password, one that cannot be found in even the most complete cracking dictionary on Earth. In this case, the only way to crack the password is the brute-force method of checking against all possible character combinations. The best defense against this method is to stack the odds in your favor so that it comes close to mathematically impossible to guess the password.
Here is how that is done. To start with, we have a lot of characters to work with:
-
There are 26 letters in the English alphabet (az).
-
All can be capitalized (AZ) or lowercase (az).
-
There are 10 numeric digits (09).
-
There are roughly 30 other special characters on a standard keyboard (!, <, @, >, ?, and so on). Not all are accepted by password-checking tools, so let's say about 15 of the 30 are.
If you create a truly random pattern of letters, numbers, and characters, there are about 77 possibilities for each digit in the password. If you use 8 characters, you raise that number to the power of 8, which gives you 1,235,736,291,547,681 combinations. It would take an awful lot of computing power (and several years) to try all the combinations that would eventually result in the right answer. To make it even harder on any would-be crackers, in addition to using a strong password you should change passwords periodically (we discuss how often a little later).
How to Create a Strong Password That You Can Remember
So here you are, knowing that you need a strong password, but how are you supposed to remember *Dsq#}3frP and 17 other uniquely random passwords for all your various accounts?
The answer is that you can use some personal information that will be easy for you to remember but difficult for others to guess. Here is how:
Start with a sentence about you or your family. For example : - My sister Joanne is four years older than my brother Matt
Take the first letter of each word. If you have a number in your sentence use the number. The base password is now:
msji4yotmbm
Make case substitutions. With this sentence, we could use the grammatical capitalization for the password, giving us:
MsJi4yotmbM
Make character substitutions. Finally, look for opportunities to use other characters that will still be easy to remember, such as $ for s. Our final password looks like this:
"M$J!4y0tmbM"
Additional Password Tips
Here are some additional tips and considerations for passwords:
Do not reuse passwords. If at all possible, try to use a unique password for each of your accounts. If you only have one or two password-protected accounts, this should not be too hard. If you have several, however, it might be difficult to remember them all, even with the technique covered earlier. Consider writing them down in a safe place (but see the next tip).
Do not write your passwords down unless you can keep them safe. Most password advice says that you should never write down a password. We think this is a good guideline, but quite frankly most of us have 20 or more accounts. It is better to have a unique password for each account and to write them down somewhere, rather than creating a single password that you use on all your accounts. Here's the trick though: If you write down your passwords, keep them secured in a locked cabinet or safe. In your desk drawer or taped under your keyboard are all bad places for a written list of passwords. In a wallet, purse, or backpack is even worse. There are also programs such as Password Corral that allow you to store all of your passwords in a password-protected file on your PC. This way you only need to commit one password to memory. You can also write down the sentence if you used the method in the example earlier (My sister Joanne …); just remember your conversion rules and you can easily re-obtain your password.
Avoid using your passwords on public computers. Even if the remember-password function is turned off, there could be a keystroke logger or other hacking tool that someone has installed. Anything you type could be collected and used against you.
Never enable the remember-password option in Windows or Internet browsers. Even if you are using a computer that no one else uses, do not use this option. (This should be doubly obvious if you are using a shared computer.) Having this option turned on may be convenient, but if you ever lose your laptop (or if it is stolen), someone can easily check all the sites recently visited with your browser and get easy access to all your private information.
-
Never share your password with anyone. If you do, change it right away.
-
Never send your password in an e-mail. This is especially the case if you receive an e-mail asking for your account information even if the e-mail looks legitimate
Change your password periodically. Some experts advocate changing your passwords every three months. For most accounts, this is a bit much, especially if you create strong passwords such as the one shown earlier. A more realistic period is every six months or so. Never go more than a year with any password, and just so you know, rotating passwords among different accounts does not count as changing a password. Use the technique presented earlier and start from scratch. If you think you have been hacked, change all your passwords immediately.
Summary
Most people do not take their passwords seriously enough, opting for something convenient rather than actually protecting their personal information. Do not make this mistake. A good password is your first and sometimes only defense against hackers and identity thieves. You should not use your spouse's name (or any other weak password) no more than you should attempt to lock a safe full of your valuables using a bread tie. Neither of these will stop someone from getting in and taking your stuff