How to choose a secure password: Difference between revisions

From Supporting Role Wiki
Jump to navigationJump to search
(→‎Introduction: Add "Why secure" password)
(Add reason for not reusing password)
Line 8: Line 8:


You don't need a different secure password for everything, but you should have a secure password for anything involving money (eg. bank or online retailers) or anything that could be used to confirm your identical or receive sensitive documents (eg. your email account).
You don't need a different secure password for everything, but you should have a secure password for anything involving money (eg. bank or online retailers) or anything that could be used to confirm your identical or receive sensitive documents (eg. your email account).

== Ways of choosing a good password ==
== Ways of choosing a good password ==


* Choose the first letter (or sound) from a memorable phrase or line from a song. So "I'm Jumping Jack Flash and it's a gas" could become "IJJFaiag" or "IJJF&i'ag".
* Choose the first letter (or sound) from a memorable phrase or line from a song. So "I'm Jumping Jack Flash and it's a gas" could become "IJJFaiag" or even "I'JJF&i'ag".


* Length is not the most important thing, but 8 characters is a usual minimum for most systems.
* Length is not the most important thing, but 8 characters is a usual minimum for most systems.
Line 31: Line 31:
* Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe.
* Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe.


* Don't reuse a password for an important system (eg. bank or email) for anything else. Reusing passwords for less important sites (eg. a web forum) is not so bad.
* Don't reuse a password for an important system (eg. bank or email) for anything else. This is if your password for only one system is know then the damage is limited, but if someone has access to everything you use then the damage will be much larger and harder to fix.


== Some myths ==
== Some myths ==

Revision as of 13:42, 4 March 2014

Introduction

Why passwords?

We all hate having to remember passwords. So why are they used? Mainly because they are cheap and can be changed quickly, and the alternatives such as secure tokens or biometric information are expensive and hard to use.

Why secure?

You don't need a different secure password for everything, but you should have a secure password for anything involving money (eg. bank or online retailers) or anything that could be used to confirm your identical or receive sensitive documents (eg. your email account).

Ways of choosing a good password

  • Choose the first letter (or sound) from a memorable phrase or line from a song. So "I'm Jumping Jack Flash and it's a gas" could become "IJJFaiag" or even "I'JJF&i'ag".
  • Length is not the most important thing, but 8 characters is a usual minimum for most systems.
  • Using symbols can be very good, but be careful it you use a different keyboard (eg laptop, Mac, foreign keyboard).
  • Avoid using words, even foreign ones.
  • Avoid mixing words (eg. "blackhat").
  • Reversing a word (eg. "eruces") does not help much.
  • Substituting letters in a word with obvious numbers (eg. "z3r0") does not help much.
  • Appending dates or numbers to words (eg. "england1966") does not help much.

What to do with your password

  • Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe.
  • Don't reuse a password for an important system (eg. bank or email) for anything else. This is if your password for only one system is know then the damage is limited, but if someone has access to everything you use then the damage will be much larger and harder to fix.

Some myths

  • "Why would anyone want to steal my password?"
An attacker may not be interested in you personally, but is trying to gain access to millions of accounts at a time. If your password is one of the easy ones then it will be guessed first and cracked. If it is a secure one then it will usually be ignored as being too much trouble.
  • "But how can they guess my password?"
An attacker does not try to guess. They run a program that tries millions of different passwords a second. These are based on the most common passwords that people use, which is why you need to avoid using simple passwords.
  • "Should I change my password every 3 months?"
Not really. It's a common practise at some companies to force people to change their password every 3 months. This can protect against long-term professionally targetted attacks on that particular company but it does nothing to protect against random attacks. And by forcing people to learn a new password often it can lead to poor choices because the password change has to be quickly made.

Further information

  • Bruce Schneier on Security:
https://www.schneier.com/essay-246.html
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
  • Lockdown Password Guide
http://www.lockdown.co.uk/?pg=password_guide
Retrieved from "https://wiki.supporting-role.co.uk//index.php?title=How_to_choose_a_secure_password&oldid=354"