Computer Passwords  

May 10, 2013

Choosing a Good Password

The news is all around us concerning user accounts being hacked and people’s private information being shared and/or their account is used for unintended purposes. This occasionally happens to staff or student accounts in our area too. Although I’m not aware of any criminal activity resulting from this locally, it can cause other problems including relaying SPAM messages and triggering email servers to be blacklisted. [So far I haven’t heard of any compromised student account having their assignment turned in for them.] So what can you do to protect your account from being a target or less likely to be compromised? I’d suggest two things: choose a strong password and change it regularly.

First, a strong password is the best way to impede a hacker’s attempts to gain access to your account. If you’re a prominent person with valuable or potentially damaging information, hackers might try social engineering and using information about you to guess passwords you might use (birthdate, family member or pet’s name). Another method is using a brute force attack with automated tools to cycle through a list of well-known passwords dictionaries or popular character sequences hoping to gain access before being detected.

Second, changing your password regularly restarts the clock on how long it might take for an automated system to guess your password (assuming it’s as least as strong as the previous one). One password theory is that with enough time, any password can be discovered or “cracked.” Thus, changing your password more frequently than the time it takes to “theoretically” crack, keeps you ahead in this game. However as processing power increases, the time to crack shortens and our password expiration policies might also need to shorten.

Thankfully, there are other methods in place to help reduce hacking attempts on user’s accounts. System administrators are constantly exploring new features and are tuning existing ones to quickly identify compromised accounts and better secure systems. A few examples include using secure protocols, intrusion detection systems, and limiting failedlogin attempts.

Ideas to Create Strong Passwords

If I’ve been successful and convinced you to upgrade to a stronger password, how are you going to create a strong one that you can remember? Again, I’ll make few suggestions that may help you in this area and give you a few cautions and things to avoid.

First, where passwords are concerned, longer is better but complicated is best. This means that a long password of all lowercase letters is simpler to crack than a slightly shorter password using multiple character sets. There’s some very specific math here that you can encourage your students to do if you want details. However, a chaacter set includes lowercase, UPPERCASE, special characters like {*&^%$#@}, and numbers (0-9). Sometimes we’re required to use several character sets to increase the complexity of the password, although it takes more effort to create one with these requirements.

Another suggestion to make a good, but memorable, password is to use a phrase, sentence or other unforgettable saying and pick out some letters as your password. Here’s an example using the first letters of the syllables in the song “Old McDonald had a farm, EIEIO” which could look like OMDhafEIEIO as the password. Now that’s a very familiar phrase around the Midwest, so humming the tune while typing might not be a good way to keep it secret, but adding or substituting special characters or numbers to it would make it more complicated. Maybe Mr. McDonald had nine farms and he sold them all to you! That might look like OMDh9f,Hstatm! Adding or exchanging letters for numbers and adding special characters makes this password very strong because of its length and use of four character sets. And I’m sure you can remember it now that you know how it was constructed and modified.

Because we often have numerous accounts, I’d recommend not making any of them the same, since one exploit could compromise them all with the proper knowledge. Another idea is to add a bit of customization to every password from the standard password created above. However, this borders on being predictable, so additional variation would be better. Thus, if I’m using this new password for eBay, I might add the letters EB, 3B, yaBe, or something unique to this password to associate it with eBay. EOMDh9f,Hstatm!B

Long, complex and different passwords are the best choice, subsequently, I use a password manager to handle this task of creating and remembering them for me. There are several types of password manager choices including using your browser’s password manager feature, a local desktop application, or a web-based password manager. I don’t recommend using the browser’s password features as anyone with access to your computer or browser can get to all your passwords. I prefer the desktop app or web-based types and have used both LastPass and KeePass as password managers, but there are other good choices also. Both of these have their pros and cons, and both require you to have a strong “master” password to secure all the other passwords that are stored behind this main password. One thing I enjoy about LastPass is having it available on all my devices and any browser I feel I can login with. It can also create a password for me and save it into its password vault. I may never know the actual password to a site, but I can get in if I know the super-secret master password.

Be cautious when using websites that can rate the strength of your password, such as www.howsecureismypassword.net and www.passwordmeter.com. Although these sites can be helpful in selecting stronger passwords, once you’ve typed it in, you’ve now shared  this password with  this web site and it is no longer secret! I’d strongly recommend not using a site to test or rate your real password nor sharing your password with anyone or any site that is not the actual account holder. Rather use sites like these to create strong passwords.

Changing passwords can be a real pain temporarily, but so can exercise, memorizing states and capitals, and getting your regular dental cleaning. Nevertheless each of these might have their place in preventing other more severe problems and ignoring some can lead to many undesirable results. So as you make that annual or biannual dental appointment, consider also updating your password or visiting with your local IT support staff about it. I’m sure they’ll appreciate both your clean pearly white smile and your interest in IT security and they probably won’t send you a bill.