How to choose a secure password: Difference between revisions

From Supporting Role Wiki
Jump to navigationJump to search
(Add more on password reuse)
(→‎Some myths: Formatting fix)
Line 31: Line 31:
== Some myths ==
== Some myths ==


* "Why would anyone to steal my password?"
* "Why would anyone to steal my password?" An attacker may not be interested in you personally, but is trying to gain access to millions of accounts at a time. If your password is one of the easy ones then it will be guessed first and cracked. If it is a secure one then it will usually be ignored as being too much trouble.
:An attacker may not be interested in you personally, but is trying to gain access to millions of accounts at a time. If your password is one of the easy ones then it will be guessed first and cracked. If it is a secure one then it will usually be ignored as being too much trouble.


== Further information ==
== Further information ==

Revision as of 12:58, 4 March 2014

Introduction

Why passwords?

We all hate having to remember passwords. So why are they used? Mainly because they are cheap and can be changed quickly, and the alternatives such as secure tokens or biometric information are expensive and hard to use.

Ways of choosing a good password

  • Choose the first letter (or sound) from a memorable phrase or line from a song. So "I'm Jumping Jack Flash and it's a gas" could become "IJJFaiag" or "IJJF&i'ag".
  • Length is not the most important thing, but 8 characters is a usual minimum for most systems.
  • Using symbols can be very good, but be careful it you use a different keyboard (eg laptop, Mac, foreign keyboard).
  • Avoid using words, even foreign ones.
  • Avoid mixing words (eg. "blackhat").
  • Reversing a word (eg. "eruces") does not help much.
  • Substituting letters in a word with obvious numbers (eg. "z3r0") does not help much.
  • Appending dates or numbers to words (eg. "england1966") does not help much.

What to do with your password

  • Writing down a password is not itself insecure, as long as it is held securely. Example is a sealed envelope (which you do not reseal once opened) in a secure place (eg lock drawer or data safe). Sticking it on your monitor, keyboard or desk is not safe.
  • Don't reuse a password for an important system (eg. bank or email) for anything else. Reusing passwords for less important sites (eg. a web forum) is not so bad.

Some myths

  • "Why would anyone to steal my password?"
An attacker may not be interested in you personally, but is trying to gain access to millions of accounts at a time. If your password is one of the easy ones then it will be guessed first and cracked. If it is a secure one then it will usually be ignored as being too much trouble.

Further information

  • Bruce Schneier on Security:
https://www.schneier.com/essay-246.html
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html
  • Lockdown Password Guide
http://www.lockdown.co.uk/?pg=password_guide
Retrieved from "https://wiki.supporting-role.co.uk//index.php?title=How_to_choose_a_secure_password&oldid=350"