Sep 14, 2009

Info Security Basics: Complex Passwords

I will soon be teaching a bunch of “Information Security Basics” courses at work, and that gave me the idea for a few blog posts.

So children, today we will learn about Complex Passwords!

Passwords – they are everywhere!Love ’em or hate ‘em, you probably use them often, if not daily. Passwords are one of the most basic types of authentication used – your basic Who You Are (user id) combined with What You Know (password).

Do your best to NOT use the same password for everything – your online banking password should not be the same as your Facebook login password. Ideally every password you use should be unique, but realistically that would be a nightmare to maintain – but do the best you can. I tend to group in terms of importance/risk:

1) High (e.g. banking) – unique, very complex passwords
2) Medium (e.g. Facebook, Twitter) – unique-ish, complex passwords
3) Low (e.g. web forums) – I have a few passwords I tend to use

Also, don’t use common words or proper names of people/pets. Common words are easily guessed using a dictionary attack, and proper names are easily guessed by doing a bit of research on people.

Most websites give you a “forgot your password?” link if you are having problems. Be careful of the standard security questions they use – the answers tend to be common things that are easily guessed or researched. You know those online quizzes and Facebook “25 things you didn’t know about me” type things? Did you know the name of my first pet was Snowball? Oddly enough that’s also one of the common security questions used when you forget your password!

Basic Rules for Complex Passwords:
  • Minimum of 8 characters
  • Use both upper (A to Z) and lower case (a to z) letters
  • Use numbers (0 to 9)
  • Use at least ONE symbol (e.g. , ! $ & % #)
One of the most common complaints about complex passwords is that they are hard to remember. A good suggestion is to use the first letters from an 8 word (or more) sentence or catch phrase, replacing some letters with numbers or symbols:

We work hard so you don’t have to” becomes WwH$ydh2

Oh, and one other thing: please don't write your password on the under side of your keyboard, or on a sticky note by your monitor, etc! That sort of thing really makes that vein in my forehead throb....