How crackable are your passwords? Do you, like hundreds of thousands of others, use ‘password’ or ‘12345678’ as your password? Or do you cunningly resort to using your daughter’s—or mother’s, sister’s, brother’s, father’s, partner’s, pet’s, favorite sports star’s—name reversed or with a number on the end? Alas, that’s not so cunning. Anyone who knows you is already halfway to cracking your password. Anyone who has a password cracking tool—easily locatable on the Internet—won’t have any problems getting into your system.
Brute-force password cracking programs, used by crackers and by system administrators wishing to test the strength of employees’ passwords, can crack most passwords within a couple of days.
Take, for example, the experience of one large technology company that used a password auditing tool to test its password security. Within 10 minutes, 18 percent of the company’s passwords had been cracked. Within 48 hours, that figure rose to 90 percent. And this was at a company where employees were required to choose passwords of nine characters or more containing mixed case and including numbers or symbols.
How do you think your password would fare?
The problem with passwords
The trouble with passwords is they need to be cryptic enough that they’re not easily cracked and yet memorable enough so our poor human brains have a chance of recalling them.
In companies where users are required to change their passwords on a regular basis, most users resort to one of two tactics. The first is to write the password down and keep it somewhere handy but out of sight. The second is to rotate the same few passwords month after month. Both methods are highly insecure.
Unfortunately, with the growth of the Internet, password protection has become an increasingly big issue. Having your computer online makes it more accessible to intruders. At the same time, you probably find yourself having to come up with more and more passwords: One to log on to Windows; one to connect to your email; one for logging into your work computer remotely; one for your favorite instant messaging program; one for each shopping site you visit; one for each online banking service you use; innumerable ones for websites that require password access. It’s not uncommon for computer users to have several dozen logins or passwords.
That makes trying to find a solution that recognizes both human limits and the needs of security no easy task.
So what constitutes a good password? Here are some tests you should apply to all your passwords:
- It should be memorable. If you have to write it down, it’s of no use.
- It should not be easily guessable.
- It should be at least eight characters long. Shorter passwords are far more easily cracked. Some sites limit passwords to four characters. That’s okay if the site’s purpose is trivial, but be wary of storing any sensitive information on such a site.
- It should contain a combination of uppercase and lowercase letters, numbers and punctuation marks.
- It should be unique. Do not use the same password for multiple purposes. In particular, don’t mix work and pleasure passwords; for example, don’t use your banking password on your Facebook account.
A practical solution
If you read through that list of good password requirements and you’re now thinking “My brain hurts,” never fear! There’s a way to meet all those requirements without taxing your synapses too much.
How? By using a password creation technique recommended by the U.S. government’s National Infrastructure Protection Center. It’s easy to do:
- Choose a phrase you will remember.
- Choose a date you will remember.
- Interlace the date with the first letter of words in the phrase.
For instance, if your date is 12/12/60 and your phrase is “Shall I compare thee to a summer’s day?”, interlacing the 6-character date and the first six words of the phrase will give you:
Add another level of security by including punctuation. For instance, we could grab the question mark from the end of the phrase and place it at the end of the password:
To ratchet up the security another notch, modify the password for each site or service you use by adding distinguishing letter(s) for that site. For instance, you might choose to include the first letter—capitalized—of a site’s domain name in the password, and make that letter the second last character in the password.
For example, if your password is 1S2I1c2t6t0a? and you want to modify it for use at Chase Bank and for Facebook, you’d end up with the following two passwords:
- Chase Bank: 1S2I1c2t6t0aC?
- Facebook: 1S2I1c2t6t0aF?
Even though the password itself isn’t easy to remember, it’s very easily reconstructed. That’s the beauty of this method. Just remember: Never reveal your phrase and date choice to anyone else.
Change is good
To take your password security one final step, change your password regularly.
How often is “regularly”? Most good passwords of this size can probably be cracked within a couple of months, given enough computing power. So you should change your password before those two months expire. Do so more frequently if you feel particularly vulnerable, and do so immediately if you do anything to compromise your chosen phrase and date.
To change it, simply come up with a new memorable phrase and date combo.
When choosing a password, never:
- Use a word found in a dictionary (even a foreign language or technical dictionary).
- Use a dictionary word followed by two numbers.
- Use a word containing any sequence of four or more letters which can be found in a dictionary.
- Use any dictionary word or sequence reversed.
- Use the names of people (family members, friends, celebrities and so on), places, pets.
- Write it down and store it near your computer.
- Share it with anyone else.
- Use the same password for more than one account.
- Use the same password for an extended period of time.
- Use the default password provided by a site or computer manufacturer.
© 2013 Rose Vines