The Hitchhiker's Guide to Passwords
Article by Rick Leinecker, March 27, 2006

Passwords: you can't live with them - you can't live without them. They can provide annoyance with a capital 'A'. But without a password, your bank account would quickly be overdrawn. I'm going to give you some common sense advice regarding passwords that'll increase your protection while reducing your anxiety.

Let's start with password security, after all that's what a password is for. Passwords that are common, everyday words are not secure. There's a cracking technique for passwords that are common words - it's called a dictionary attack. The crackers use programs that go through every word in the dictionary until the correct word has been found. And cracking passwords with dictionaries usually takes only a few minutes. So, if your password is summer, or vacation, or warm then you're not secure at all. What's even worse, if your password is something that one of your friends could easily guess such as your pet's name, then it may take one of your friends even less time to guess your password than a dictionary cracking program.

I have a funny story from my days at MCI's digital imaging division. The chief network administrator was a Barney Fife fan. On the wall in his office there hung a picture of Barney with a single bullet resting in the frame. This network administrator was in my office and logged onto my computer with his password. I noted that he typed in six characters, the first being a 'B'. Hmmm, that could be Barney, or it could be bullet. When he left, I found out. After two tries, bullet got me in. And with his account privileges I escalated my own network privileges from ordinary user to network administrator - slick! (Of course, I wouldn't initiate this type of youthful indiscretion anymore.)

The lesson is this: don't use normal words or words that acquaintances could guess. Most security experts recommend creating passwords that mix upper and lower cases, have at least one numeral, and ideally have a special character. For example: Jerry4You has upper and lower case along with a numeral. Now you might ask, what about the fact that I used Jerry and You, two easy words. Yes, those are easy words, but since they're squashed together, a dictionary attack won't work since the composite word isn't in the dictionary. And the numeral in between makes it that much harder to simply guess. Passwords with upper and lower case, numerals, and special characters are known as strong passwords. It's also recommended that your password be at least eight characters.

Strong passwords are still vulnerable to what's called a brute force attack. That's where a program tries every possible combination of password characters until it finds the right one. While a dictionary attack may take ten minutes, a brute force attack may take weeks or months. That's why a strong password is so much better - it's rare that someone will take the time to launch a brute force password attack. People with passwords that protect sensitive resources usually change them periodically. Even a brute force attack won't work with passwords that change every couple of weeks since it usually takes a minimum of two weeks for a brute force attack on a strong password to succeed.

What about the promised anxiety reduction? All I've talked about so far is complicated passwords. How does that reduce anxiety? Well it's my approach to creating strong passwords that will put you at ease. Let me explain.

Try using passwords that represent phrases. For instance, if you can't wait until summer try the password CantWait4Summer. It's long, it has upper and lower cases, and it has a digit. But the best part is that you'll remember it because it's meaningful. If you want to throw in special characters, then you could try Cant.Wait_4_Summer. You could also split the difference between security and convenience and use cw4s, which is very easy to remember. True, it's not as secure as CantWait4Summer, but it's an improvement over spot or fido.

Now that I've given you the most important two password recommendations (they must be strong and you should have a way to easily remember them), there are a few other suggestions that will help. The more important the resource you're protecting, the more elaborate the password should be. Online banking needs a very strong password while temporary email addresses don't. You should change your passwords every six months. Don't use the same password for everything, have as many different passwords as you are comfortable with. And finally, don't leave your passwords on PostIt notes by your computer; this is an invitation for compromise.

That's it for password wisdom.