Archive for the ‘Passwords’ Category

Password blues.

June 10, 2009

For the average computer user, password management often involves either their pet’s name or a selection of Post-It notes on their monitor.  While for some this may be the only way to remember their passwords, there are a number of guidelines that can be followed to ensure users create strong, secure passwords that are also easy to remember without having to write them down.

It’s a popularly held belief that the best passwords are those made up of random strings of upper and lower case letters, numbers, and other symbols.  While these are indeed the most difficult to crack via a brute force attack and tend to be impervious to dictionary attacks, they are also the most difficult to remember and therefore the most likely to be written done.  The most complex password becomes useless when its easily accessible by other people.

The complexity of a password increases exponentially as the password’s length increases.  There are over 10,000 more password combinations for a 15 character password using just lower case letters than there are for an 8 character password using upper and lower case letters, numbers, and all the symbols easily accessible on a normal keyboard.  Therefore, you don’t need to use every character available just to get a complex password.

Many people also don’t realise that Windows passwords can be up to 127 characters long and can also contain a space.  This makes it very easy to construct a complex password, which is in essence a pass phrase, which is easy to remember.  A good way to start is to take a simple phrase, such as “summer is” here and apply some standard rules to it.  For example, you could capitalise the second letter or each word, rather than the first, to make it more difficult to guess.  You could then add a specific symbol at the end of the password.  Lastly, you could substitute specific letters for symbols or numbers (such as “@” for “a” and “5″ for “s”).  This makes the password “5Ummer i5 hEre!” which is very complex and well protected from common password attacks.  If you keep the same set of standard rules, it’s also easy to remember.  Additionally, if you need to write anything down, you can write down the rules rather than the password itself which is a much lower risk.

When you need to change your password, you simply need to select a new phrase and apply the same rules – “now its autumn” would then become “nOw iT5 @Utumn!”, another complex yet easy to remember password.

One last point – there is always going to be a need at some point to write down a password.  Some passwords, such as the Windows Directory Services Restore Mode password, are designed to never be used except in an emergency.  These are therefore going to need to be recorded somewhere to ensure access when needed.  Writing these passwords down is not in itself a security risk – it’s what you do after they are written down that can cause the problem.  Locking the password is a safe with controlled access should present very little risk at all, and as the use of these passwords is very limited, it shouldn’t be a problem if accessing them takes time.