[caption id="attachment_449" align="aligncenter" width="300" caption="(flickr credit: ferran.pons)"]
[/caption]There are two very different perspectives
From the IT side of things, generally the focus seems to be on security, so this results in policies that;
- make users change their password every 30-60 days
- require more complex combinations of; UPPERCASE letters, lowercase letters, numbers and symbols.
- lock out your account if you get your password wrong a few times in a row (ever left caps lock on?)
On the user side of things, generally the focus is on the utility of being able to log in so that you can get your work done. This focus leads towards;
- Folks who have forgotten their passwords using others' accounts so they can get their work done.
- Passwords on post-it notes by their monitors
- Users re-using passwords between systems to reduce the number of passwords they need to remember
- People picking "easy" passwords to help remember them.
So it is easy to see how either side could view the other with disbelief. The IT group shaking their head at people choosing poor passwords and showing disregard for security. The users shaking their head at an IT group that appears to care more about complicating passwords than helping them perform their daily tasks. It doesn't have to be contentious, there is hope. More and more, users are becoming educated about the importance of good security practices, and security professionals are realizing that the best security is the kind that works for users rather than against them.
What makes a password good?
Put simply, anything you can do to make your password difficult to figure out is good. So if your password is really long, and composed of many types of characters, it becomes very difficult to "guess". If your password is short, a real word found in the dictionary, or something an attacker would know about you, then you make it easier for someone to guess your password. But having a "good" password is only part of the challenge. The best password in the world does you little good if you can't remember it. Locking out all the would-be hackers is only part of the equation, making sure the account is accessible by the right person is the other.
[caption id="attachment_448" align="aligncenter" width="208" caption="(flickr credit: guspim)"]
[/caption]10 Strategies for choosing a secure password you can remember
So here are some strategies for picking a strong memorable password. Read through them all, and pick 1 or 2 that will work for you.
1. Plan ahead
Have a strategy for picking passwords that you can use across many systems. That way when you go to a new system that asks you to pick a password, you can appyly your strategy rather than having to wrack your brain for a new password.
2. Take your time
Taking 60 seconds to think about a great password you will remember, rather than typing the first thing that pops into your brain will pay dividends. Apply your strategy pick something you will be happy with.
The next 3 get you to try not thinking in terms of a pass-word.
3. Think in terms of a pass-phrase.
It could be a line from a song, a poem, a story, anything, but of course you will modify it by adding punctuation, truncating the sentence or swapping in a word you like better like;
- "The dish ran away with the poon"
- "I'm dreaming of a white Xmas"
- "AllIwantforChristmasismy2frontteeth!"
- "Thyme4Golf!"
- "4getaboutit!"
- "NowwhatwasmypasswordCharlie?"
4. Think in terms of a pattern.
A very popular pattern is to apply a prefix, a root, and a suffix to your passwords. here is my version of "the pattern"
- The prefix modifies the root, so you might want to relate it to what it is your are logging into. If you logged into a system for email, you might use "email" or "Email" or "e-mail" or "E-mail" as a prefix.
- A good choice for the root is a non-dictionary / non-name word like "selebrait (yes exactly, it isn't in a dictionary)
- The suffix is something you add to your pattern to add the required "non-letter" characters so that your password is "complex" enough. Lets choose "$4".
- For email your password might be "emailselebrait$4"; for AOL it might be "aolselebrait$4", for gmail it might be "gmailselebrait$4" etc...
5. Think in terms of a simple puzzle.
Where am I, who am I, what kind of login is this could yield unique results. for every login while requiring only a little bit of mental gymnastics. For a gmail login it might be "gmailGregWebmail"
6. Anticipate being asked to change your password.
So if you have picked out a fabulously strong password that you can remember well, don't let the "prompt to change your password" cause you stress, build a "counter" into your password which you can simply increment. It might look like;
- "Sallysellsseashells!1", "Sallysellsseashells!2", "Sallysellsseashells!3"
which is a reasonably complex password you could remember and which would allow you to "survive" the password change without having to think of a new password. Note, lots of password systems won't let you simply tack on a number (too easy). So I recommend you resort to one of two ninja password moves I've come to appreciate. The first is to us a numeric increment, but not on the end;
- "Sallysells1seashells!", "Sallysells2seashells!", "Sallysells3seashells!"
Or you could use something other than number to increment. If you held down "SHIFT" while pressing the numbers 1-9 you would see "!@#$%^&*(", so using our Sally example again it might look like this;
- "Sallysellsseashells!!", "Sallysellsseashells!@", "Sallysellsseashells!#"
Or you could substitute letters for numbers along the lines of A=1 B=2 OR Q=1 W=2 E=3 (look at your keyboard to understand why I'm choosing those letters.
7. Use your muscle memory.
What do the following 4 passwords have in common?
- ajskdlf;
- quwieorp
- zmx,c.v/
- 17283940
OK, that last one should have given it away. The fingers type the same sequence in a different row of the keyboard. by mixing up the rows and columns on your keyboard you could easily come up with dozens of "muscle memory passwords" that feel the same to your fingers but would leave a potential hacker scratchign his head. NOTE: Left to right rows of keys like "qwerty" and "asdfg" are REALLY bad passwords.
8. Test your password strength.
Not sure if you picked something strong enough? You could always try typing it into the Microsoft password checker; http://www.microsoft.com/protect/yourself/password/checker.mspx Don't worry, if you are a bit paranoid like me you won't like the idea of typing your password into a webpage. Microsoft assures you; The password is checked and validated on your computer, but is not sent over the Internet.
9. (Guys only) Write all your passwords down on paper in your wallet.
We are talking about the wallet that never leaves your front pocket. If you lose your wallet, treat your passwords like your credit cards and get them all changed. (Ladies, nothing personal here but the purse left slung over a chair in your office is nowhere near as safe as the wallet located in a guys pocket.) Guys, if you don't trust the people living in your house this might be a poor choice.
10. Use password safe software
Password safe software can hold all of your passwords. These tools use a master password to encrypt all of your passwords. If it fell into the wrong hands it is useless to the bad guys, but in your hands, it can help you not only remember passwords, but also usernames, URLs for logging in and other details you record with the entry in a searchable "password database". I recommend KeePass which I've discussed previously.
Hopefully these 10 strategies for choosing a secure password you can remember will lower your password stress, raise the strength of your passwords, and save you some time chatting with the nice guys at your company's IT support desk.
Cheers,
Greg.
No comments:
Post a Comment