Essential Password Security Best Practices
One of the weakest links in most security systems, even today, are passwords. People write them down on sticky notes attached to their computers, or make their passwords so simple that with a little time, anyone can access their system.
As we rely on computers and the Internet more and more with our precious data, password security is only going to rise in importance. Many sites have long since enacted basic checks on passwords to limit the chance of a possible security breach. You’ve seen these systems in place before as they ask you for longer passwords, or to include certain types of characters.
They want you to use passwords that look like !qD7_8aC but you’ll never remember that. So how do you create passwords that aren’t easy to guess, simple to figure out and that you won’t have to write down to remember? Well, first we need to look at why passwords like the example above are so secure.
Weak Passwords: Dictionary Attack
Crackers (commonly labelled Hackers) will use a long text file with thousands of dictionary words most commonly used as passwords. Software will run through this list of words to see if your password matches. If it does, the Cracker will have easily, quickly and efficiently gained access to your data.
This is why we need to make sure we aren’t using words or names that can simply be found out by this type of software.
Words like password, school, and even psychologist are bad passwords. The length of the word doesn’t matter in this type of attack, so using longer words, or even combining two words may not keep your data safe from this type of attack.
Weak Passwords: Brute Force Attack
Another technique that Crackers will use is a system called brute force, and it is how it sounds. The software or system will go through all common permutations of letters until it hits on your password. Usually, the Cracker will check what the lower and upper limit for passwords are in a given website or computer system, as many set their minimum password length to 3, 5 or 8 characters, with a maximum length usually around 15 characters long.
Then the software will start at that length, with all “a’s” and continuing on until it gets to “zzzzzzzzzzzzzzz” and so even if your password is “ccradsae”, the top password crackers can break that in less than five minutes. Overall though, Brute Force cracking types of attack usually takes longer than dictionary attacks, but are also more likely to find a positive result, and this is where the majority of our modern password security techniques come into play.
With the example I gave above, !qD7_8aC, it isn’t a dictionary word or phrase, and so only a brute force method (given a limitation of the two tactics of course) would work in finding this password. But thanks to the capital letters, the numbers and the symbols, the number of characters the Brute Force Cracking software would have to go through in various permutations is so large that the person attempting to gain access would have to wait a very long time before the computer would come up with this set of characters, thus, we have security thanks to the high time required.
As computer systems get faster, it becomes more and more difficult to keep these passwords secure, and so many companies are looking for a better way of managing user security, but until that happens, we need to protect ourselves.
Making a Secure, Easy to Remember Password
Coming up with a fairly secure and easy to remember password might seem difficult, but there are some easy things you can do to improve it.
- First: The more characters the better. Take one or two words. (simplepassword)
- Second: Use both uppercase and lowercase letters (SimplePassWorD)
- Third: Replace vowels with numbers (S1mpl3P4ssW0rD)
- Forth: Add symbols to replace letters or to insert between words ($1mpl3!P4ssW0rD)
From what I’ve read, a password like $1mpl3!P4ssW0rD would take a minimum of three months using a super computer to crack through brute force methods used today. With computers getting faster and smarter, I have a feeling, even a few years from now, a password like this would still take weeks or months to crack.
NOTE: You can’t just use one of the above mentioned techniques. PassWorD is not a secure password, neither is p@ssword or p4ssw0rd. It is the combination of the above techniques that help create a more secure password.
Changing Your Password Often
This of course brings me to my next point, if you are smart, you’ll change your password fairly regularly. It doesn’t take much to take one or two important words or a short phrase, and convert them through replacement to become much more secure while remaining memorable, but even with all the previous steps, if you give a person enough reason to make the attempt, and they are persistent, then they’ll eventually find your password and gain entry.
But, if you change your password in the midst of their cracking attempt, you are basically putting them back to square one, and they have to start over again.
Different Passwords for Different Sites/Computer/Services
The last thing that people should be concerned about is the use of the same password on multiple sites. Not all sites, computers and services secure your information as well as others. This leads to the possibility that one site may accidentally give your password out to the wrong person. If this happens, and you use the same password everywhere, you’ve instantly gave that person access to everything you have protected under that password, and using the information they gleam from various sites and services, they may be able to get more passwords on other sites and services.
Trying to figure out an easy way to make new passwords for each site? Try adding a unique identifier. For Gmail, add gM to the start or end of your chosen strong password. For Twitter, add tw33t or t!. Then you’ll be able to have one main secure password with different identifiers based on the site.
So a password like: My#p4s$ becomes My#p4s$gM for Gmail, and My#p4s$t! for Twitter. Be aware of the upper limitations of the sites you use, as if you are limited to 16 characters, you can’t use something like $1mpl3!P4ssW0rD as the prefix for your identifiers as $1mpl3!P4ssW0rDgM is too long.
Some Good Password Examples
Just looking around at various objects, it can be very easy to create a password that is secure and easy to use.
- Pr!ngl3sC4nn (Pringles Can)
- d13tC0c4^c0l4 (Diet Coca Cola)
- St4rG4t3& (Stargate)
- c3lL#pH0n3 (Cell Phone)
Be aware that selling your data online and from your computer is big business, and it is up to you to protect yourself.
In the end, you need to select strong passwords, change them often, use different ones on different sites, and stay apprised of security issues with the sites, services and computers that you use. I hope you all take the time to beef up your password security and are able to stay safe.