How to pick a good Password

From YWAMKnowledgeBase

(Redirected from Picking a Good Password)
Key.png

Security is important. Password protect your computer, your information, and your identity; so it's important to use password that are not easy to guess or break.

What does weak password mean?

A weak password is, by definition, easily found out by someone else. There are two different, but related threats to weak passwords: automatic trial&error, or manual guesswork.

There are a host of programs out there designed to rapidly find weak passwords: they either try every combination of letters, or use a dictionary of commonly used words, or a combination of both. The main problem is that trying out a password is so incredibly fast that such an trial-and-error approach can succeed quite rapidly - if the password is too short or uses dictionary words. Even combinations like Password123 don't delay much. So to put it bluntly: there are robot programs in the Internet that just try everywhere whatever they think may worthwhile, reporting back to the owner when they found something.

A less common threat is manual guessing: an attacker (human!) tries some passwords he thinks may be probable in this situation. That's why passwords are also weak if they are linked to what you are or what you do - 'lorencunningham' is not too short, probably not in a dictionary, but easily guessed once the attacker has gained some insight. As many people choose passwords based on information they judge "personal", an attacker can increase his chances if he searches to know such personal informations.

A recent security breach at hotmail.com offered the possibility to view 10,000 password users had chosen. An analysis of these passwords showed that at least 40% of the passwords were very weak.

Picking a Good Password

The fact is that most of the time, people prefer convenience to a secure password. Of course, a simple forum user doesn't have a top secret password, but don't forget the mentioned speed of those who will want to crack it.

The Basics

Don't use: password, administrator, root or any of the top 500 worst-passwords-of-all-time.

Don't use: your name, your date of birth, your children's date of birth, or other personal details.

Don't use: YWAM acronyms (like DTS) or other words that can be easily guessed by looking at the context.

Do use: a combination of UPPER CASE, lower case, numbers (0-9) and symbols (everything else).

Do use at least 6 characters. (Very good: at least 9.)

The following methods are ordered from very easy to very secure. The actual strength that you need may depend on the use case: for online banking you will likely choose a rather secure one.

Method 1 - Shifting Your Hands

If you touch type an easy way to great strong passwords is to shift your hands up one row on the keyboard and then type a word as you normally.Here are some examples:

Accounting=> Qdd97h58ht
MySecret => J6W3d435
TeaTime =>%w3%8j3

Method 2 - Substitution

Substituted numbers for letters or letters for numbers:

E ore=> 3
S or s => 5
L or i => 1
O or o => 0 (zero)
i =>!

Ok you get the idea, make up some of your own.

MySecret => My53cr3t

(Note that some password crackers know these simple substitutions and so kevin and k3v1n can be guessed quicker than you might think. Do make up your own!!)

Method 3 - Insert Special Characters or Spelling Mistakes

Insert a special character (like%,!:$+*. etc.) somewhere in the middle:

M%ySe-_cret

Alternatively, you can use unusual spelling mistakes:

MeiSeqret

Method 4 - Pass-phrases

Pass-phrases are easy for people to remember but hard for a computer to break. This cartoon gives a rather hunorous illustration of why: xkcd

Put a bunch of words together to make a pass phrase. eg:

IloveJesusEverydayMore

Or the same with some Substitution (method 2):

1L0veJ3su5Ev3rydayMor3

Most of the time, you can even use the blank (space) character:

I love Jesus, everyday more.

Method 5 - Shortened Passphrases

Use initial letters of a phrase to create an obscure password

slan4atf! = So Long And Thanks For All The Fish! (Douglas Adams)
4GsltwthgHos! = For God so loved the world that he gave His only son!

Method 6 - Password Generators

You can generate a random password online at Perfect Passwords without installing anything.

Also most password filing program have their own random password generators. I like and use Any Password. You can also use KeePass (or KeePassX if you're on Mac/Linux).

Password Storage

My daughter Ellie's has picked a long password including numbers but it possesses one fatal flaw...
Good passwords are inherently difficult to memorize. And it is not as if we had only one password to keep in mind (PINs, entrance doors, safe, ...). But good password combined with bad storage is like locking an important document into a safe, yet leaving its key in the lock - utter foolishness.

Again, weak storage is a when outsiders can easily get access to it.

On Device

Saving your password(s) on the PC you use them may be a pragmatic thing to do. However, if you store it in some normal file, you put your trust that no-one else will ever look at your files in your absence (or via virus). Also, be aware that even after you deleted the file, it can still be recovered (e.g. if you sell your laptop). And for the same reason, if you send a password via email, you trust that none of the servers inbetween dare to look at it (even though nobody would be able to verify that).

In both cases, encrypting the password(s) in a digitial Passwordsafe is a safer alternative. (Like Any Password or KeePass)

Written Down

Writing the password down on paper is better than storing it on the PC itself (a virus won't be able to read it, and it leaves less digital traces). But where to store the paper? NOT in obvious locations like under the keyboard, on screen, or in the shelf with other daily-work-documents ... Maybe, in writing it down, you mentally apply a sort of "encryption". For example, writing down only a hint to the password. Or advancing each letter forward in the alphabet. Or not writing the corresponding website and username near it. By doing that, even someone who finds the password can't (immediately) make sense of it.

In Your Mind

Of course, the safest way would be to store it in your mind! Sometimes, visual clues or similar sounds may help you remember. The method of a "Shortened Passphrases" makes it easy to remember (as you know it's sense), but hard to guess (or even to memorize/"shoulder-surf" for someone who doesn't know the long phrase of it).

Digital Legacy

A last word about passwords: as they manage our identity, it may be important to access to them if you suddenly we struck by a bus (see Bus-Factor). On YWAM IT, we had some discussion about the death of a national leader (Digital Legacy), concluding that passwords, combined with the knowledge how to use them, may be important to keep the work up (see If I got Hopelessly Sick / Died Suddenly ...).