Solving the Password Dilemma

The results from testing the following passwords on How Secure is My Password: Summers, Summer’s and 1S2I1c2t6t0aF?

How crackable are your passwords? Do you, like hundreds of thousands of others, use ‘password’ or ‘12345678’ as your password? Or do you cunningly resort to using your daughter’s—or mother’s, sister’s, brother’s, father’s, partner’s, pet’s, favorite sports star’s—name reversed or with a number on the end? Alas, that’s not so cunning. Anyone who knows you is already halfway to cracking your password. Anyone who has a password cracking tool—easily locatable on the Internet—won’t have any problems getting into your system.

Brute-force password cracking programs, used by crackers and by system administrators wishing to test the strength of employees’ passwords, can crack most passwords within a couple of days.

Take, for example, the experience of one large technology company that used a password auditing tool to test its password security. Within 10 minutes, 18 percent of the company’s passwords had been cracked. Within 48 hours, that figure rose to 90 percent. And this was at a company where employees were required to choose passwords of nine characters or more containing mixed case and including numbers or symbols.

How do you think your password would fare?

The problem with passwords

The trouble with passwords is they need to be cryptic enough that they’re not easily cracked and yet memorable enough so our poor human brains have a chance of recalling them.

In companies where users are required to change their passwords on a regular basis, most users resort to one of two tactics. The first is to write the password down and keep it somewhere handy but out of sight. The second is to rotate the same few passwords month after month. Both methods are highly insecure.

Unfortunately, with the growth of the Internet, password protection has become an increasingly big issue. Having your computer online makes it more accessible to intruders. At the same time, you probably find yourself having to come up with more and more passwords: One to log on to Windows; one to connect to your email; one for logging into your work computer remotely; one for your favorite instant messaging program; one for each shopping site you visit; one for each online banking service you use; innumerable ones for websites that require password access. It’s not uncommon for computer users to have several dozen logins or passwords.

That makes trying to find a solution that recognizes both human limits and the needs of security no easy task.

Good passwords

So what constitutes a good password? Here are some tests you should apply to all your passwords:

It should be memorable. If you have to write it down, it’s of no use.
It should not be easily guessable.
It should be at least eight characters long. Shorter passwords are far more easily cracked. Some sites limit passwords to four characters. That’s okay if the site’s purpose is trivial, but be wary of storing any sensitive information on such a site.
It should contain a combination of uppercase and lowercase letters, numbers and punctuation marks.
It should be unique. Do not use the same password for multiple purposes. In particular, don’t mix work and pleasure passwords; for example, don’t use your banking password on your Facebook account.

A practical solution

If you read through that list of good password requirements and you’re now thinking “My brain hurts,” never fear! There’s a way to meet all those requirements without taxing your synapses too much.

How? By using a password creation technique recommended by the U.S. government’s National Infrastructure Protection Center. It’s easy to do:

Choose a phrase you will remember.
Choose a date you will remember.
Interlace the date with the first letter of words in the phrase.

For instance, if your date is 12/12/60 and your phrase is “Shall I compare thee to a summer’s day?”, interlacing the 6-character date and the first six words of the phrase will give you:

1S2I1c2t6t0a

Add another level of security by including punctuation. For instance, we could grab the question mark from the end of the phrase and place it at the end of the password:

1S2I1c2t6t0a?

To ratchet up the security another notch, modify the password for each site or service you use by adding distinguishing letter(s) for that site. For instance, you might choose to include the first letter—capitalized—of a site’s domain name in the password, and make that letter the second last character in the password.

For example, if your password is 1S2I1c2t6t0a? and you want to modify it for use at Chase Bank and for Facebook, you’d end up with the following two passwords:

Chase Bank: 1S2I1c2t6t0aC?
Facebook: 1S2I1c2t6t0aF?

Even though the password itself isn’t easy to remember, it’s very easily reconstructed. That’s the beauty of this method. Just remember: Never reveal your phrase and date choice to anyone else.

Change is good

To take your password security one final step, change your password regularly.

How often is “regularly”? Most good passwords of this size can probably be cracked within a couple of months, given enough computing power. So you should change your password before those two months expire. Do so more frequently if you feel particularly vulnerable, and do so immediately if you do anything to compromise your chosen phrase and date.

To change it, simply come up with a new memorable phrase and date combo.

	TIP: Let Software Do It For You If creating passwords sounds like too much trouble, consider using a password program such as RoboForm. RoboForm can not only create and store passwords, it also automatically fills in web forms of all types, making it a big timesaver. All you have to do is remember a single master password—but make sure that one is a good one! RoboForm is also able to generate strong passwords for you. No messing around with reconstructing passphrases, just tell it how tough you want the password to be and RoboForm spits out something unique and nasty. The program stores all these passwords for you, instantly logs you into any number of sites (in the paid version), and keeps all your passwords safe. There’s a version you can install on your desktop (Windows, Mac or Linux), versions for Android and iOS phones, plus the nifty, universal RoboForm Everywhere, which provides a central store of all your passwords you can access from any device. That’s the one I use and have been using for years now, without a glitch.

Password no-nos

When choosing a password, never:

Use a word found in a dictionary (even a foreign language or technical dictionary).
Use a dictionary word followed by two numbers.
Use a word containing any sequence of four or more letters which can be found in a dictionary.
Use any dictionary word or sequence reversed.
Use the names of people (family members, friends, celebrities and so on), places, pets.
Write it down and store it near your computer.
Share it with anyone else.
Use the same password for more than one account.
Use the same password for an extended period of time.
Use the default password provided by a site or computer manufacturer.

	A Little Lagniappe: Testing your password There are a number of sites, including Password Meter and How Secure is My Password, that let you test the strength of your password. When you use such a site, it’s vital that you do not use any variant of your real password. Instead, test passwords that have a similar structure. For example, if your password is Summer61 try testing another combination that uses a 6-letter common word, capitalized, with a 2-digit number at the end, such as Budget19. Also note that How Secure is My Password uses the example of how long it would take a single desktop PC to crack your password; it’s important to realize that a supercomputer or a large network of desktop computers working together—as some password cracking rings use—would take a fraction of the time to crack the same password. * Lagniappe is a Louisiana word that means ‘a little something extra for nothing’.