Thursday, 28 June 2007

The Art of Creating a Password

One area of security that hackers regularly exploit is your password. Most people struggle to remember long and complex passwords and so resort to either using short and simple ones, which are easy to crack, or more complex ones that they end up writing it on a postit note generally found attached to their computer monitor.

The Ten Password Commandments

  1. Don't use repeated characters (e.g. aaaaaaa), sequences (123456 or abcdefg) or adjacent keys on your keyboard (e.g. qwerty) .
  2. Don't use words found in the dictionary
  3. Chose a password that is easy to remember to avoid your having to resort to variations of the post-it trick. Note that if you do resort to writing it down then do so in a secure fashion. Consider splitting it up and storing the fragments in different places. Store the written password using an easy to remember code such as adding an offset to the characters in it or reversing it.
  4. Don't share a password between accounts. If a hacker cracks it for one they can use it for any others you've used it for. You may also inadvertently use it on a bogus website where it will be stored and systematically tried against your legitimate acounts.
  5. Incorporate as many keyboard characters on the keyboard as possible (if possible include upper and lower case letters, numbers and special characters). The fewer you use the longer it needs to be to have the same strength.
  6. Your password should be as long as possible (preferably 14 characters or more long but 8 as a minimum).
  7. It should not the same as your user name, any part of your (or family members) name, birthday or other personal information. Hackers will try variations of these if they can get hold of this information.
  8. Don't store it on the internet or on a network. Don't store it on your PC unless it is encrypted. If a hacker gets at the file containing them then they can use them.
  9. Change your password regularly. The stronger the password you use the less frequently you need to change it.
  10. Don't just use simple letter substitution on a weak password. P@$$W0rd may look strong but password cracking software will often incorporate this kind of letter substitution.

The third and sixth of these criteria would at first glance appear to be mutually exclusive. Most people struggle to remember a 5 or 6 character password, without traversing the heady realms of passwords that contain ten or more.

Johnny Mnemonic

One way around this is to base your password on mnemonic phrase, saying or the lyrics of a song that you remember. Take the first letter of each word in your key phrase, et voilla an instant long password that is easy to remember. Marvelous.

For example take the old Nancy Sinatra song "These Boots are Made for Walking". Taking the first 12 words you get "These boots are made for walking and thats just what they'll do". Taking the first letter of each word gives you the letters "TBAMFWATJWTD" which to all intents and purposes looks pretty random.

Substitute

To widen the range of characters used in your password you can now apply the rule that you use and upper case letter for the first letter of each word on your phrase that is greater than two characters long and lower case for the rest. You now get "TBAMFWATJWTd", not a huge improvement in this example but hey you can always choose a new key phrase. To widen the range of characters even further, consider substituting special characters for certain letters. For example: -

  • '@' for 'a'
  • '8' instead of 'B'
  • left bracket '(' instead of 'C'
  • '!' for an 'i' (invert ! and you get i)
  • zero for 'O
  • '$' instead of 'S
  • '+' for 't'. 

Your password would now be "+8AMFWA+JW+d".

The Specials

Finally add one or more additional special characters to the mix at predetermined points in your password. For example you could always enter "~" as the third character of your password and "#" your last.. As long as you're consistent you should be able to remember as you key it in. Adding these in would give you "T8A~MFWATJWTd#" which is pretty strong. Just don't go humming the tune to yourself as you're entering it.

Remember that if you don't use a strong password, then one of these days these hackers are gonna walk all over you.

No comments: