Internet > Security Issues >

Password Advice

Use of a good password is your first security defence. You should always use a password on any computer that others can access, so that no one can access your private information, use your account and impersonate you on the Internet, delete your files by mistake, etc.

You should change your password regularly, where regularly is determined by your environment -- perhaps every 60 days in an office environment and every six months on a secure home computer. From least to most secure, there are three types of passwords:

  • What you have. Examples include keys and pass cards. The risk is that they can be lost or stolen.
  • What you know. Examples include computer account passwords and building entry passwords, information that passes from your brain through your hand to the security system. The risks are that they can be copied if you are observed entering them, and unless they are sufficiently unique they can sometimes be guessed or cracked.
  • What you are. Examples include fingerprints, retina patterns, and other biometric passwords. These are much more difficult to copy (so far) and are therefore the most secure passwords.

The most common type of password on the Internet are passwords you know, mainly alphanumeric keywords. For a reasonably secure home computer, password selection might be a less critical issue, but on networks open to the Internet there are many very real threats to administrator, network, and application passwords. Many ingenious programs have been written to crack passwords at high volume, some by hackers and some as legitimate security testing tools, and are of course loose on the Internet. Many of these programs use a variety of dictionary based attacks to combine common words and word variations to try thousands of passwords as fast as the targeted system will permit. Some start by guessing a whole bunch of common passwords.

Other password cracking techniques include low-tech but surprisingly effective methods as sending an email supposedly from an authorized administrator requesting the password, making a telephone contact supposedly from the authorized company and then requesting the password for authentication, and use of electronic spy ware to capture the legitimate entry of a password and send it to the eavesdropper. As always, the human element is more unpredictable than the technical part.

To provide maximum protection, there are four basic rules for password management security:

  • Pronounceable. The best password is at least eight letters, and pronounceable so that it is memorable. Your password should not be a recognizable word, and should include at least one number, to minimize the chances it can be found by "dictionary" based attacks. There is a simple trick to making them up instantly -- pretend you are two years old, combine random syllables into words, then add a number, such as "banilum4", "somi3can", and "telupson6".
  • Non-clichés. Lots of people use their birthday or spouse's birthday, the name of someone from their family or friends, the name of a favorite pet, or some other high profile subject for their password. Avoid all the obvious choices, since professional hackers try these first.
  • Unique. Never use the same password for more than one purpose, and change important passwords regularly without reusing old ones. Use separate passwords for your computer login, internet account, email account, and other functions. If you use the same password for more than one purpose, you run the risk that if someone knows one of your passwords then they can break into all of your accounts. (This rule may be relaxed for low threat environments such as a home office).
  • Write it down. Unfortunately, the trade-off for using good password practices is that you might forget them, so you need to record them somewhere. If you don't do this, it is a statistical certainty that sooner or later you will find yourself locked out of a computer or application at a very inopportune time. The trick is finding a secure location for storage of this sensitive document. If you have a very secure storage location (locked filing cabinet, encrypted file on your main computer) than you might store it there, but make sure it is secure; if that security protection is bypassed, all of your passwords are lost.

    First principles are: don't leave it on your desk, store it in your wallet, or tape it to the bottom of anything. For non-electronic storage, a common but effective technique is to record your passwords in pencil on a document that stored with a lot of other documents, or on the margin of a page of a book on a shelf with a lot of other books. Therefore, even if someone had the time to search for it, it would be difficult to find, and even if found it wouldn't be obvious what it was.

Resources. The following sites provides more information on passwords: