Failing to actively adhere to good password practices is akin to leaving the front door of your house unlocked. If you're lucky, no one will test the lock. If someone is looking to break in, you've created the perfect target. Similarly without strong passwords, you're leaving systems open to hackers. Don't shy away from the task of creating and maintaining multiple strong passwords. Five security experts offer their best techniques, which you may want to implement as part of your organization-wide password policy.
Eliminate common words
Submitted by Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+
Journalist and editor, About.com Guide for Internet/Network Security
When I create my passwords, I immediately eliminate any word that can be found in a dictionary, even to make up a portion of my password. When forced through password complexity requirements to add numbers or special characters, many users still pick things like october01 or october#1 or something to that effect. It technically meets the requirement, but it defeats the purpose of creating a complex password.
If you eliminate your name, your kids' names, your pets' names, your birth date, social security number and every word in the dictionary, you aren't left with many options. So, what should a user do to create a password that fits all of these guidelines?
I take a word and use "hacker speak" to substitute numbers or special characters in place of some letters. That way I can still remember the password, and it won't be cracked by a simple dictionary attack or easy guess. For instance, instead of using "october," change it to "oct0b3r." The zero and the three still look like the "o" and "e" they are replacing. But I would not recommend using this trick for personal information. Things like family names should still be on the short list of password choices.
One other trick is to capitalize at least one of the letters in the middle of the word. When users are forced to use caps and numbers through complexity requirements, they usually end up with "October1" or something like that. Instead, use something like "ocT0b3r," which would be significantly harder to guess or crack.
Connect multiple words
Submitted by Rick Smith, Ph.D., CISSP Faculty member specializing in information security,
University of St. Thomas
Operator, Cryptosmith LLC, consulting organization
When choosing a password, first consider its importance. If it's not protecting something important, I choose something really easy to remember. The same is true if it's a password that gets e-mailed around: If someone intercepts the e-mail, it won't matter how clever you were about choosing it.
If the password really needs to hold up against attacks, I pick two long words (eight letters or more) and embed a digit or special character between them. The two words should be randomly chosen, and they shouldn't produce a phrase. Then I generally save copies of passwords in an encrypted file or password encryption application, unless there are laws against it.
Implement a formula using common Web page elements
Submitted by Michael Bloch
Founder, Taming the Beast.net, e-commerce and Web marketing resources
Each Web page tends to have common elements -- whether they're visual or in the source code. You can save yourself from remembering multiple passwords if you identify a common element on the page, then add a suitable string of numbers, characters or case variations common to all passwords. To do this, you just need to remember the formula for calculating the common element and the common string. It's best to choose an element on the page that is unlikely to change.
Here is a very basic example of the new method I'm trying out.
Each Web page on any site usually has a common element. Start with that element and follow these
- Source code example: ‹head›
- Scramble it: ‹›daeh
- Add the initials of the domain name: ‹›daehsws
- Add the predetermined string common to all passwords you'll use; add it as a prefix, suffix or dump it in the middle: ‹›daehsws-0345
This particular example is too easy. I suggest identifying something common on each page for that particular site. Then use a memory trigger for the common element or use an element common on all sites (such as ‹head›), but add an extra step. For example, intersperse that element with a customer ID number or username. It sounds a little bulky I guess, but the idea is that you only need to remember the formula rather than 100 different passwords.
Use passphrasesSubmitted by Debra Littlejohn Shinder, MCSE, MVP (Security)
Author, "Scene of the cybercrime"
My favorite trick for creating strong passwords is to use passphrases (a sentence or group of words), using only the first letter of each word with punctuation marks. If your phrase contains numbers, all the better.
Here is an example:
My dog's birthday is 10-23. When is yours?
This sentence would become the following password:
This method creates a seemingly random combination of alpha, numeric and symbol characters, yet it's easy to remember. It's much shorter than typing the entire phrase (thus eliminating the chance of mistyping or the user getting frustrated with its length), and it's less prone to cracking because it doesn't contain any dictionary words.
More on using acronyms and passphrasesSubmitted by Joshua Erdman
Founder, Digital Foundation, IT outsourcing firm
Editor, NetworkClue.com how-to articles.
The answer is acronyms! Look at the password "2Bon2Btit?" It's complicated and almost random. It follows all the recommended password rules. It has at least one symbol, it has at least one capital and one lowercase, and it is at least eight characters long. The best part is -- it is easy to remember.
I got it from this common phrase:
To be or not to be, that is the question
It is easy to think of one on your own. Use a rhyme from school, a lyric from a song or a sentence from your favorite book. The possibilities are endless.
How do you create strong passwords? Submit a tip and we'll post it on the site.
This was first published in October 2004