Passwords, part 1: How to create good passwords
There are a couple of simple, basic rules for using passwords. Unfortunately, almost no one follows them. Still, we all need goals and aspirations, so here they are:
- Create passwords that are very hard to guess.
- Do not use the same password everywhere.
In other words, there are two things to worry about: creating good passwords and managing them. The first is pretty easy; organizing the second is a bit tougher.
In part 1 of this series, we’ll get the easy stuff out of the way: creating passwords the bad guys can’t crack. Part 2 talks about managing those passwords. Part 3 discusses the importance of lying (nice teaser, eh?). Lastly, if your eyes haven’t glazed over by then, you can also read part 4 (under development), which touches lightly on some of the technical background and on a few specialized topics.
A good password should have:
- at least eight characters, including
- at least one upper-case letter,
- at least one lower-case letter,
- at least one number
- and (if allowed) at least one character that is not a letter or number (“&”, “$”, “%”, “!”, etc.).
The idea here is to come up with a password that is too tough to crack. Following the “good password” rules is a good start, but a password also needs to be hard to guess. That being said, here’s some stuff to avoid, even if you follow the good password rules…
Do not obviously base a password on a real word or a proper name. In other words, if it is in the dictionary, don’t use it. The most common example is basing a password on the name of a child, grandchild or pet — just the sort of information an attacker could pick up from a Facebook page. (In my experience, almost half of all users do this.) The second most common is using the name of a favorite sport, sports team or a related phrase. Use some imagination. Mix it up a bit. Keep in mind that the bad guys are very shrewd guessers.
Do not use “leetspeak” (substituting a “3” for an “E”, “4” for “A”, “7” for “T”, etc.). The bad guys know this trick. “L37m31n” is just as obvious and easily cracked as “Letmein”.
Let’s wrap up with a few examples…
Edward123 — Technically, this meets the minimum “good password” requirements — it has both upper- and lower-case characters, as well as some digits — but it totally blows the “hard to guess” part. A proper name followed by a simple string of numbers is way too easy to crack.
ed48#wRD! — Not bad; should do the trick. It follows all the rules and, unlike the previous example, is not obviously inspired by your dog, Edward.
fc9asI9PP!e3 — Good one. It’s 12 characters long (the maximum allowed at some web sites), totally random, follows all the rules and is darn near impossible to crack. It’s also hard to type, but that might be a worthwhile trade-off on something like a banking site.
Alas, knowing how to build a good password is just a start. You need multiple passwords to do this security thing properly. We’ll talk about ways to handle that little problem in part 2.
(A brief note about passphrases: This is usually the point where someone gets the vapors because I haven’t mentioned passphrases. A passphrase is a long string of characters, usually in plain language. For example: “Mr. Thribbet paced the burning deck anxiously.” It’s easier to remember and type than an obscure, gobbledegook password and, because of its length, it is virtually impossible to crack. Trouble is, most sites won’t let you use a passphrase long enough to do you any good. We’ll discuss passphrases at more length in part 4 — coming soon eventually.)
Trackbacks & Pingbacks