Choosing Passwords

by Steve Yates

The ITS Connection Online Newsletter

Passwords are a ubiquitous form of security protection. Unfortunately many users do not take the extra effort to properly secure their passwords. With a few minor guidelines, your passwords will become far harder to break.

Many users select a password that is easy to guess (such as a name, date, address, or "password"). It is sadly not uncommon to find a password stuck to a monitor on a Post-It note.

There are three main approaches to cracking passwords: intelligent guessing, trying random word and number combinations, and automated software that tries every possible combination of characters. Given enough time, the automated method can crack any password. In fact network passwords that once took weeks to crack can now be cracked in hours due to the overall increase in computing power available. However, it still can take months to crack a strong password.

Tips for selecting a hard-to-crack password include:

  • Select a password at least seven characters long. Some systems use algorithms which have an optimum length...for instance Windows XP has the strongest encryption with either 7- or 14-character passwords.
  • Use a mix of letters (upper case and lower case), numbers, and symbols, such as: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : " ; ' < > ? , . /. Some users "spell" words, for example "1T$" (ITS).
  • Use one or more numbers or symbols in the middle of the password (rather than adding one at the beginning or end).
  • Do not use your name or login name.
  • Change passwords frequently and do not repeat passwords. Most networks can be set to manage this automatically on a company-wide basis.
  • Do not allow Windows, Internet Explorer, or other software to remember your passwords for you. This lets anyone else sit down at your PC to access these web sites or network resources.

Biometrics

As we discussed in our Trends column last year, biometric security may be the way of the future. These devices identify biologically unique characteristics and use them to limit access to a system. A common method is to use a fingerprint and have the device mathematically calculate a long, seemingly random password from that. Then all the user has to do is to use their fingerprint instead of typing in a password. These devices already exist today, for a fairly low cost.

Smart Cards

Since Windows 2000, Microsoft has supported smart cards for remote or network access. Users must use a special card and PIN to gain access. However, this probably will not work with all software.

Password Managers

Another alternative is password management software. These programs maintain an encrypted list of passwords for you. You simply enter one password or key phrase to unlock the list and look up any login and password as desired. Some will even generate hard-to-guess random passwords for you, and remember web addresses to jump directly to the desired web site.

August 2002

Send this article to a friend!
Subscribe to The ITS Connection