Jul 10 2007

How to choose a secure password

[tags]security,passwords,hacking,cracking,microsoft,complex,best-practices[/tags]

As a follow-up to the secure USB drive post, I wanted to give some pointers on how to create secure, complex passwords.

Complexity…

In a Microsoft environment, a complex password must be at least six characters long, cannot contain three or more letters from the user’s username, and must contain characters from at least three of these five categories:

  • Upper case characters – A, B, C, …, Z
  • Lower case characters – a, b, c, …, z
  • Numbers – 0, 1, 2, 3, …, 9
  • Special characters – !, @, #, …
  • Unicode characters – ?, รพ, ?, …

Unicode characters are difficult to type, so we’ll ignore those for now as they are impractical, but if you stick with Microsoft’s recommendations here, you’re off to a good start.

First test…

Consider the following two passwords and think about which is more secure:

  • July07
  • HaUnChEofKslFnsoEasP

The second password is obviously more secure, but this doesn’t constitute a complex password as it only has characters from two of the five categories (upper and lower case.) The first password is considered a complex password as it has characters from three of the five categories, and it is six characters long. (This wouldn’t be an allowed, complex password if the user’s username was Julie or Julian, but that’s besides the point.)

Golden rule…

The golden rule when choosing a password is to not use a word that appears in the dictionary – not even when it is appended with numbers or special characters. Research has found that most people will throw in a couple of numbers at either the beginning or end of the password, and more often than not, these numbers relate to either the current date or an important date like birthdays, anniversaries, etc. So based on this, a better password would be “Ju07ly”. This doesn’t contain any dictionary words, it has three of the five character sets, and the numbers aren’t at the beginning or end of the password.

Common mistake…

A common practice when trying to come up with stronger passwords is to substitute letters with special characters. For example, you could choose your pets name, “Spotty” and turn it into this: “$p0ttY” This matches the requirements for a complex password, but the downside is that there are a bunch of commonly used special characters which any password cracker worth it’s money would factor into it’s algorithms. Some of the common ones are: @ for a, $ for s, 0 for o, ! for 1.

The other problem with choosing your pets name, is that hackers can use “social engineering” to obtain personal information from you which they could use to aid their password guessing. It wouldn’t be that difficult to find out your pet’s name, or any of your families or loved ones names. “$p0ttY” doesn’t look that difficult to guess now.

Looooong passwords…

The best way to overcome some of these problems is to use long passwords. As I showed in the example above, “HaUnChEofKslFnsoEasP” is much more secure than “July07” only because of it’s length of 20 characters. By my calculations there are 19,928,148,895,209,400,000,000,000,000 different password combinations using 20 characters with just upper and lower case. Compare this to just 56,800,235,584 combinations using 6 characters with upper case, lower case and numbers.

The rules…

Some of the rules we have so far are:

  • Avoid using dictionary words, or names of people/places.
  • Use long passwords – the longer the better.
  • Use special characters, but not in an obvious way.
  • Use both upper and lower case letters.

Don’t write it down…

The downside to obeying these rules is that you end up creating a password so complex, the only way to remember it is to write it down – usually on a piece of paper stuck on your monitor or under the mouse mat, or sometimes folded neatly in your wallet (with your bank cards!)

Methods…

So how do we create passwords that are both easily remembered and secure? Here’s one method…

Think of a short sentence that is easily remembered, for example: “My favourite movie is Titanic” or: “My husband never puts his socks away.” Then think of a way to shorten it into just one word like this: “My favourite movie is Titanic” becomes “MfmiT” This is too short, so perhaps we could make it: “MyfavmovisTitan” This is now 15 characters long and contains upper and lower case characters. We can now use special characters to increase the complexity: “My fav-mov=Titan” The password is now 16 characters long, has three different special characters, and is also relatively easy to remember.

Another method to create a strong password, is to come up with two passwords and then just join them together. For example, using our two bad examples from earlier, we can create this password: “July07$p0ttY” Even though each password by itself is not that strong, the two combined make a much stronger password.

Useful tools…

Once you’ve come up with a password that you think is strong, you can use the password strength checker from Microsoft to test it out.

SecurityStats.com also has a password checker with a bunch of other tips too.

No responses yet




Trackback URI | Comments RSS

Leave a Reply