Choose A Secure Password

From Postmaster Administration Wiki
Jump to: navigation, search

Picking a good password is not an easy chore. There has to be a balance between complexity and ease to remember. Here are a handful of guidelines when it comes to making a password:

Use a mix of upper and lower case letters, digits, and punctuation.

The more varied each character in the password is, the stronger it will be and harder for a human to guess. A computer on the other hand can churn through character combinations very, very quickly.

Its a little clichéd, but the longer, the better.

Computers constantly improve in performance and as a result can brute force guess passwords more quickly. What might have been a strong eight letter password in 1995 is now a weak password in 2013. The English language only has 26 letters, so an eight letter password only has 268 = 208 827 064 576 combinations, which can be brute force guessed by a computer almost instantly. If you allow for upper and lower case English letters, an eight letter password has 528 = 53 459 728 531 456 combinations; while harder for a human to guess, a computer can do it in seconds. A US English QWERTY keyboard has only 96 printable characters, so an eight character password can have 968 = 7 213 895 789 838 336 combinations, which can be cracked in about a day.

What makes a difference in password strength is the password length, the longer the better, since this exponentially increases the number of combinations and so increases the time it takes for a computer to brute force guess. A 16-character password would take about 600 years.

Avoid using dictionary words.

Using passwords consisting of one or more English dictionary words is a bad idea. Many password guessing heuristics use a dictionary of popular words and phrases. If you do use words, mix up the case of letters, replace some letters by numbers or punctuation. For example "i" with "!" or "o" with "0" (zero) or "*", "E" with "3", replace single letters by double letters and visa versa, etc. Lots of these suggestions are also accounted for in password attack algorithms, so remember "it's the length that counts".

Avoid accented letters in passwords if you travel aboard. Use them if you don't.

Keyboards with accented characters and/or special punctuation characters are great for improving the password strength, because they increase the computer alphabet size. However, remember that keyboards vary from language to language, country to country, so if you travel and check your email in a cyber cafe or friend's computer, you might find yourself unable to type the accented characters. However, if you're a hermit and never go anywhere, then knock yourself out.

Password Strength by XKCD
This work, by XKCD, is licensed under a Creative Commons Attribution-NonCommercial 2.5 License.

Use Multiple Passwords

In an ideal world, we would have a different password for every mail account, web site login, alarm keypad, credit card PIN, cell phone PIN, etc. But alas, that just tends to tax our minds so much that we end up leaning to the opposite extreme, which is having only one password for everything. One password for everything is a horrible idea, because if your one password is ever compromised, all your accounts and devices are also compromised.

In reality there is a sensible middle ground, where you remember a handful of different passwords, possibly of different strengths, for specific uses: one strong password for finance; one for personal material like email, personal computer logins; another for social media sites and services like Twitter, Skype, IM clients; and possibly a fourth for web sites that are not critical. Often it's a good idea to have a few strong ideal passwords – one long alpha-numeric password and one short alpha-numeric password. The reason for this is that some services will allow any character to be used, other services sometimes limit passwords to alpha-numerics only, and even poorer web sites or services restrict password length. So be prepared with a variety of strong passwords to used with any given restrictions.

One method to simplify remembering, is to have a common prefix or suffix which you then join with the site's name or domain to form a unique password. For example:

This makes the process of remembering the password easier, but again if it is compromised, the password usage convention will also be compromised.

Some web browsers like Firefox, Chrome, and Opera have special add-ons, like PwdHash, that let you log in using one password, which is then used to generate a unique password for each different web site you visit. This can greatly simplify password management, while maintaining good security.

I've Forgotten My Password

For infrequently used sites, create an strong password, possibly semi-random gibberish, and be sure to specify a password recovery email address in your account profile. Any time you need to login to this seldom used web site and you can't remember the junk password, simply click the "I've forgotten my password" link to receive a new password or login token by email. This presumes you always have access to your mail account and that it is never compromised.