It is very important to protect your online accounts with strong and secure passwords. You probably have heard that before. But did you do it? Probably not.

“Yea, OK, OK, what is a strong password anyway?”

Well, it may be easier to answer that by first looking at what is a weak password.

A weak password is a password that can be easily guessed by a human. And that includes humans who know a substantial amount about you. A weak password is also any passwords that can be easily cracked by a password guessing program. These cracking programs use extensive dictionary and special word lists containing millions of commonly known or potentially knowable passwords. They also can try millions of random strings of characters. The speed at which these programs can can work is astounding.

Examples of weak passwords:

• Any word that is in any dictionary.
• Any number, unless it is so large as to be cumbersome to remember.
• Any birth date.
• Any pets name.
• Any persons name or nickname.
• Any common quotation or phrase.
• Any password that you use on ALL your accounts.
• Any password, no matter how strong it is, that you told your computer to remember buy selecting the Remember Me option on a password dialog.

Of course it is important to have a strong, hard to guess passwords on any financial accounts such as banks or brokerages. Most people understand this. But did you know it is also very important to have a strong password on your email accounts and to log onto your computer? Well, it is.

But most people are also afraid of loosing or forgetting their passwords. So they make them easy to remember and therefore easy to crack. Or they make it so hard to remember that they have to write it down, and then they leave it next to their computer.

How quickly can weak passwords be cracked? Within seconds. Yes, you heard us right. Within seconds.

OK, what are some characteristics of strong passwords:

• They should contain a mixture of all the available keyboard characters, including a mix of upper lower case letters, numbers and special characters.
• They should be at least 8 or 9 characters in length.
• They should not be written down, unless they are kept in a very secure place.
• They don’t have any of the characteristics of a weak password.

This is an example of a strong password: XnZJ3tHjur^ (well, it was until we published it)

It would take high powered cracking attacks a considerable amount of time to guess this password. And clearly, no human is going to guess this one.

OK, yea sure, you say. Who the heck can remember a password like that?
Plus, each important account should have a different password. How are you going to manage that?

Well here is how:

Please notice that the above mentioned password has two halves. XnZJ3 and tHjur^

Make one half your passwords something that is common to all your passwords. Memorized this half and never write it down. It still should not be something easily guessed. It should mix case and include at least one special character. But since it is common to all your passwords, it will be much easier to remember.

The second half could be something that you associate with the account in question.

For example: FiDo3 and mYbanK^

• FiDo3 would be common to all your passwords and never written down.
• mYbanK^ would be unique to your bank, and also relatively easy to memorize, and could vary in length depending on the account.

The second half could be written down somewhere. If anybody finds your password list, it will still be almost useless. You could even carry such a list in your wallet or purse and it would be of little use to a thief.

We say almost useless, because nothing is perfectly secure. Key-logger spyware on a computer could expose any passwords typed on the keyboard.* And if crackers figure out you technique, it may be of some help towards cracking your passwords, but the time and computer power required will still be substantial. And, hey, this technique is not designed for protecting national security secrets. But is can be very useful for the average computer user.

* The threat of key-logger software is why we also suggest using a well known password utility like RoboForm. If a hidden key-logger ever compromises your computer, the these programs can provide an significant additional layer of protection. Because even if they learn the password for these programs, they will still have to hack into your computer or physically access your computer for it to be of any use to them.

Note: These programs can be used to generate random passwords that are very secure, but many folks still need passwords that are memorable. And that brings you back to our recommended two-part password technique.

There are also any number of other techniques for creating and using strong passwords. The important thing is not what technique you use, the important thing is that you don’t use weak passwords.

Note: This Post is so important that we also made it a permanent page on this web site. It can be found HERE.

- Practice Safe Computing -

Posted on Tuesday, April 26th, 2005 at 4:33 PM and filed under All Posts, Email Security, General, Wired Network Security, Wireless Network Security. You can follow any responses to this post through the RSS 2.0 feed. You can leave a comment, or you may trackback from your own site.