Practical Passwords

The Importance of Passwords

The use of good, strong passwords by computer users is an indispensable tool in the maintenance of any confidential data for which they are responsible, and in the protection of their systems against attack and abuse. If your password is deliberately or accidentally disclosed, it becomes compromised and therefore weak. The use of a weak password may allow someone to assume your identity and use, amend or delete any of the records or files you are responsible for.

To avoid accidental disclosure, a password should be easy to remember so you don't have to write it down. When using it, you should be able to enter it rapidly to avoid the keystrokes being seen by onlookers. Better still, place yourself between their eyes and your keyboard or ask them to look away.

The password cracker programs are getting ever more sophisticated, and computers are getting more powerful. They can try hundreds of millions of words derived from dictionaries and past "success" lists as well as randomised character sequences. Computers running cracker programs are fast enough to use combinations of two or more listed words and numbers, and still crack a password in hours. So in order to avoid becoming their victim, your password must avoid their potential search patterns.


Common sense suggestions for devising strong passwords, memorable and hard to guess:

  • use a memorable phrase or short sentence as a starting point, then substitute numbers and punctuation for some of the letters
  • use a mixture of upper and lowercase letters as well as numbers and punctuation
  • construct long mixed-case nonsense words that are pronounceable and include numbers and punctuation
  • Examples: "The_cha1n_ha5_fa!!3n_0ff"  would take 10,000 centuries to crack, whereas "qwertyuiop" would take 1 second (password.kaspersky.com).

A weak password is:


  • shorter than eight characters in length
  • a word from a dictionary
  • a proper name or noun
  • a phone number
  • an identification number generated by any agency or system
  • a string of the same character repeated
  • a simple pattern of letters or other keys from the keyboard
  • any of the above reversed or concatenated
  • any of the above with digits before or after
  • a birthday or anniversary date
  • anything easily associated with you or your interests
  • related to your login name or the system you use
  • a password you have used before
  • constructed of only alphabetic characters or only digits

Contingencies

A reliable method of password management is to use a program like KeePass Password Safe, an open-source utility which works with Linux, Mac OS X and Windows.

If you must write down your password, perhaps as a contingency against forgetting it and locking yourself out of your own system:
  • Do not identify it as a password
  • Disguise it by making it part of a longer piece of text
  • Make the recorded version different from the actual
  • Do not include the application, system or account name
  • Keep it in a secret place, hidden away from the view of anyone else
As a contingency against your being incapacitated and needing to pass on control of the system to another person, passwords should be stored in a sealed envelope in a fire safe.