Easy but SECURE Passwords - Think "Pass Phrases"!

RTA Information Technology, Tempe, Arizona

Don't you hate remembering passwords? I do?

Most people:
1) Write them down near their computer.
2) Make up an easy password. It usually consists of a word from the dictionary, followed by some numbers. Often, the password includes the name of family or pets.
3) When forced to change a password, they increment the number at the end of the password.

If this sounds like you, you're normal! And you are a prime candidate for having your password stolen!

Don't keep your password near your computer. And, so-called "Dictionary Attacks" can break your password in minutes! Dictionary Attacks go through the entire contents of the Dictionary, adding numbers to the beginning and end of each word. A Dictionary Attack will quickly find the right combination, and you've been hacked!

What's the solution? Pass phrases!

What's a pass phrase? It's a LONG bunch of words, numbers, or characters that's easy for you to remember, but hard to crack. Just the fact that it's LONG means it'll take a LOT of guesses to get your password. Even if you use all English words, think of how many combinations there are? Combine six words together, add a few special characters (^%$[+), and you've made it a near-impossible task for a password cracker.

Consider the following three passwords:
1) "Paula11"
2) "Az7%lV8"
3) "Consider buying a GREAT business server."

"Paula11" is what most people use, given a choice. It's easy to remember. It's easy to type. Paula is your daughter or wife.

It's seven characters long. It'll take a Dictionary Attack a few minutes to break. If I look up information about you, I can probably GUESS your password. If you are required to change your password periodically, it may be "Paula99" by now. I can guess that one, too.

2) "Az7$IV8" is what's commonly suggested by the "security-aware" computer system. It's nearly impossible to remember. It's difficult to type. This might be an password assigned randomly by a computer. For sure, nobody would EVER voluntarily pick it.

It's also seven characters long. It'd take a Brute Force attack (every possible combination of letters and numbers) a few hours to break. It's hard to remember, hard to type, and easy to break.

3) "Consider buying a GREAT business server."
This is a pass phrase. It's easy to remember. It's easy to type. It means something to me.

It's FORTY CHARACTERS long. It'll require the world's fasted computer YEARS to do a successful Brute Force Attack. You'll never be able to guess it manually. An even better pass phrase would be "Consider buying a xxxxx business server." Tha'ts even tougher to crack, and no harder to type or remember.

Get the idea?

My rules for secure passwords:
1) It's OK to write down passwords. Just keep them someplace safe and not on your desk!
2) Use more than one password. If a single password somehow gets exposed, you don't want the thief to have access to ALL your accounts. Pick two or three GOOD passphrases and use them on different accounts. Write them down some place safe if you don't use them frequently.
3) Use long, complex, pass phrases. The longer the better. Windows Server 2003, Small Business Server 2003, Windows XP and 2000 allow VERY long passwords, and they allow special keyboard characters. Make your passphrases long and add spaces and a special character or two.
Your pass phrase doesn't have to be hard to type. Make it easy on yourself. Just throw in a couple of extra, easy-to-type characters. Toss in an extra "space" or two. Or four. It doesn't have to be fancy. Just long.
4) I don't recommend enforcing too-frequent password changes, since most people simply modify their existing password. Instead, go for a GOOD passphrase and keep it secret! There's no reason to have to change your password every month. Pick a strong password and change it yearly. Have a "Password Day" annually, when you change your passwords.
5) If you accidentally gave your password to somebody, change it wherever you've used it.

Passwords are the only barrier between thieves and your money and your data. Don't skimp on their length. Good passwords don't have to be hard to remember. They just have to be long.