Blogs >> Technology >>
Creating A Strong Password
To encourage users to not write down passwords, one common piece of advice is to pick an easily remembered word or phrase and “swap out” letters for numbers or symbols. For example, a fan of “Lord Of The Rings” might opt for “FrodoBaggins,” and then change it to “Fr0d0B@ggin5.” While good advice on the surface, I believe this approach can present unintended challenges. Specifically, when I try to recall it a month from now, how likely is it that I will say, “Hmmm. Did I change one ‘O’ or both? And did I change the ‘s’ to a ‘5’ or a ‘$’?”
Actually, this approach can work if you are methodical and consistent. That is, if EVERY “o” ALWAYS becomes a “0,” (That's the number zero, since it's hard to tell.) EVERY “e” ALWAYS becomes a “3,” EVERY “l” ALWAYS becomes a “1,” and you NEVER expand your scheme to include “5” for “s” and “@” for “a,” then it could work for you. But for the other 6 billion people on the planet, I have another idea, which I believe is superior. To the best of my knowledge, I developed it, but who knows whether someone else out there had a similar flash of insight.
Start with a relevant phrase that contains exactly five words and two numbers. It may take some thinking, but it’s critical, as you will see in a moment. Take the first letter from each word to form the passphrase. Don’t substitute numbers for alphabetic characters, as often is recommended. Then add one more letter representing the application, service, or institution associated with the password.
For example, I’m a huge fan of the Beatles. So my phrase can be, “In 67, Sgt. Pepper was released.” Taking the first letter from each word leads to i67spwr. If I want to maintain the capitalization, it becomes i67SPwr. Either way, it’s a strong password. Assuming your passphrase does not by coincidence spell out one or more words—such as hi2there—it should be resistant to a dictionary attack, described later in this section.
The problem is, if your password is the same for each of your online identities, then someone who gets one gets them all. That’s where the “one more letter” referenced above comes in. Let’s say I want to create a password for my online Discover Card account. I add a “d” for Discover, and the phrase now becomes i67spwrd; for American Express, it’s i67spwra. (No, I do not actually use these exact passwords, and if I did, I would not be publishing them in a book for the world to see.)
Of course if you follow the above steps to the letter, then in reality you do have a single password: Seven characters comprising the “true” password, and then a single letter representing the application or online service at the end. So mix it up. The first time you create a password this way, do put the extra letter at the end. The next time, put it just before the numbers. Split the numbers. Or, if the name of the service starts with the letters A-M, put it first; N-Z, at the end. In short, do whatever works for you. It makes the password harder to remember, but at least you have a finite number of possibilities to try before the system locks you out.
The beauty of this system is that it allows you to use the “Post-It” method for a hint. I could write down “Beatles” (or if I want to be a little more obscure, “btl”) and put sticky notes all over my office. I challenge a cracker to derive i67spwrd from “btl.”
Bear in mind that if an attacker were able to install a keystroke logger or some other type of monitoring device on your system, clearly any userID / password combination entered could be captured. And if he or she manages to record several—i67spwrd at Discover’s website and i67spwra at American Express—it would not be hard to deduce the logic behind the passphrase’s structure. Therefore, best practice still dictates that you should change your passwords on a regular basis, and immediately if you suspect one of them has been compromised.
A few explanations and hints:
Actually, this approach can work if you are methodical and consistent. That is, if EVERY “o” ALWAYS becomes a “0,” (That's the number zero, since it's hard to tell.) EVERY “e” ALWAYS becomes a “3,” EVERY “l” ALWAYS becomes a “1,” and you NEVER expand your scheme to include “5” for “s” and “@” for “a,” then it could work for you. But for the other 6 billion people on the planet, I have another idea, which I believe is superior. To the best of my knowledge, I developed it, but who knows whether someone else out there had a similar flash of insight.
Start with a relevant phrase that contains exactly five words and two numbers. It may take some thinking, but it’s critical, as you will see in a moment. Take the first letter from each word to form the passphrase. Don’t substitute numbers for alphabetic characters, as often is recommended. Then add one more letter representing the application, service, or institution associated with the password.
For example, I’m a huge fan of the Beatles. So my phrase can be, “In 67, Sgt. Pepper was released.” Taking the first letter from each word leads to i67spwr. If I want to maintain the capitalization, it becomes i67SPwr. Either way, it’s a strong password. Assuming your passphrase does not by coincidence spell out one or more words—such as hi2there—it should be resistant to a dictionary attack, described later in this section.
The problem is, if your password is the same for each of your online identities, then someone who gets one gets them all. That’s where the “one more letter” referenced above comes in. Let’s say I want to create a password for my online Discover Card account. I add a “d” for Discover, and the phrase now becomes i67spwrd; for American Express, it’s i67spwra. (No, I do not actually use these exact passwords, and if I did, I would not be publishing them in a book for the world to see.)
Of course if you follow the above steps to the letter, then in reality you do have a single password: Seven characters comprising the “true” password, and then a single letter representing the application or online service at the end. So mix it up. The first time you create a password this way, do put the extra letter at the end. The next time, put it just before the numbers. Split the numbers. Or, if the name of the service starts with the letters A-M, put it first; N-Z, at the end. In short, do whatever works for you. It makes the password harder to remember, but at least you have a finite number of possibilities to try before the system locks you out.
The beauty of this system is that it allows you to use the “Post-It” method for a hint. I could write down “Beatles” (or if I want to be a little more obscure, “btl”) and put sticky notes all over my office. I challenge a cracker to derive i67spwrd from “btl.”
Bear in mind that if an attacker were able to install a keystroke logger or some other type of monitoring device on your system, clearly any userID / password combination entered could be captured. And if he or she manages to record several—i67spwrd at Discover’s website and i67spwra at American Express—it would not be hard to deduce the logic behind the passphrase’s structure. Therefore, best practice still dictates that you should change your passwords on a regular basis, and immediately if you suspect one of them has been compromised.
A few explanations and hints:
- Why do I specify a five-letter, two-numeral phrase? Because there are systems still in existence which allow a maximum password size of eight. (How 20th century!)
- Why two numbers? Because some financial institutions require that the password contain two numbers.
Although not mentioned in the discussion above, the numbers should appear somewhere in the middle. Some websites will reject a password if the numbers are at the end. I once wasted a bit of time figuring this out when a proposed password was rejected without specifying why it was invalid.
That leads to one final, and critical, point. I stress the 5 + 2 + 1 composition because the key is to be consistent. Every website I currently use accepts a password structured as I have described. That is important, because if you find yourself making slight modifications to some passwords to meet the unique constraints of the system, I suspect you’ll find yourself making more notes as well.
Next: Watch out for social networking sites!
|