How to choose a secure password: Difference between revisions

Introduction

Why passwords?

We all hate having to remember passwords. So why are they used? Mainly because they are cheap and can be changed quickly, and the alternatives such as secure tokens or biometric information are expensive and hard to use.

Ways of choosing a good password

• Choose the first letter (or sound) from a memorable phrase or line from a song. So "I'm Jumping Jack Flash and it's a gas" could become "IJJFaiag" or "IJJF&i'ag".

• Length is not the most important thing, but 8 characters is a usual minimum for most systems.

• Using symbols can be very good, but be careful it you use a different keyboard (eg laptop, Mac, foreign keyboard).

• Avoid using words, even foreign ones.

• Avoid mixing words (eg. "blackhat").

• Reversing a word (eg. "eruces") does not help much.

• Substituting letters in a word with obvious numbers (eg. "z3r0") does not help much.

• Appending dates or numbers to words (eg. "england1966") does not help much.

What to do with your password

• Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe.

• Don't reuse a password for an important system (eg. bank or email) for anything else. Reusing passwords for less important sites (eg. a web forum) is not so bad.

Some myths

• "Why would anyone want to steal my password?"

An attacker may not be interested in you personally, but is trying to gain access to millions of accounts at a time. If your password is one of the easy ones then it will be guessed first and cracked. If it is a secure one then it will usually be ignored as being too much trouble.

• "But how can they guess my password?"

An attacker does not try to guess. They run a program that tries millions of different passwords a second. These are based on the most common passwords that people use, which is why you need to avoid using simple passwords.

• "Should I change my password every 3 months?"

It's a common practise at some companies to force people to change their password every 3 months. This can protect against long-term professionally targetted attacks on that particular company. It does nothing to protect against quick attacks. And by forcing people to learn a new password often it can lead to poor choices because the password change has to be quickly made.

Further information

• Bruce Schneier on Security:

https://www.schneier.com/essay-246.html

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

• Lockdown Password Guide

http://www.lockdown.co.uk/?pg=password_guide