Home

Content

Risk and Security Management

Choosing A Pas8w0rd

Computer passwords are a fact of modern life; here are some tips for staying secure and memorable.

The number of passwords the average computer requires is growing as more and more sites require registration, this is not including access to work systems, email accounts and others.

A complex password is harder to crack than a simple one and using the same password in multiple accounts is just plain bad, you know it, I know it and so do the people who make it their business to break into computer system.

The problem with super strong passwords like CV%f^%hhy89765F is that whilst secure no one is ever going to remember it, the obvious thing that people do when forced to use passwords like this is, you guessed it, write them down. Not a good idea.

Some Surprising Information on Password Cracking

The security expert Bruce Schneier carried out a very interesting statistical analysis of 34,000 MySpace passwords using commercially available password guessing software. A reasonably modern PC can guess 350,000 Microsoft Office passwords per hour using this software. These applications are also intelligent, concentrating on likely combinations first, using combinations of dictionaries, lists of names and other common words.

This also assumes a complete blind guess. Throw in the name of the person, an email address or some other personal data and the possibility of success becomes even greater and quicker. Don't assume that this information has to be obtained by some secret means. Applications exist that scan a computer for all printable text, from emails, swap files and documents etc to create a dictionary of possible words to try.

The Top 20 passwords in the MySpace analysis (post a hacking attempt) were as follows

password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1 and monkey

Tips for Choosing and Remembering Passwords

Whilst there are differences of opinion the most common advice to computer users for choosing and using a password is;

Don't think you are being secure by replacing a normal words o with zeros or i with 1. This is one of the most obvious tricks. The same applies to other simple alphanumeric substitutions.
Don't use passwords based on personal information
Avoid words that can be found in the dictionary, including foreign language dictionaries. Also avoid words found in the media, sports and other popular culture.
Don't use words that can be found in any dictionary of any language

Use a base password rule that can be easily adapted depending on its use and is easily remembered.

For example;

Step 1

Choose a base password phrase that you can remember, this can be anything as long as you can remember it.

Example: mytablehas6chairs

This is a reasonable password in itself; it is quite long and has a number but can be enhanced even further and adapted for use on different sites.

Step 2

Move the characters one up, so m becomes n etc. It is harder to remember but the base word is easy to manage.

Example nbucmdibt7dibjst

This is now getting stronger, it will not appear in any dictionary.

Step 3

Add a punctuation mark at the end or a capital letter

Example Nbucmdibt7dibjst%

This is a very strong password that is long. Using a shorter base word will make it more manageable but you get the overall direction.

Step 4

The name of the system could be appended to the password or prefixed to the password to make it unique, use a simple rule. For example, prefixing the name or initial of the site or service to the password.

There are a number of variations on the base password method and I would strongly urge all readers to search the web for a method that is both easy to use and secure. The above method is one of many.