We’ve all heard the advice before. When picking a password be sure to not choose a word from the dictionary, make sure to use letters, numbers and symbols and never use the same password for multiple items.
All in all, it’s good advice, but the realities of the Web are much more complicated than that. If we could all remember a string of garbled text for every site we visit, our online lives would likely be much more secure. But as humans we are fallible and, as such, we forget, we take shortcuts and we inadvertently create worse security problems.
The truth is that most “hacks” that take place on blogs and any personal account are not caused by any software vulnerability, but through either password guessing or phishing. As such, the best security step anyone can take is to ensure that you have strong passwords and that you guard them closely.
But that is something much easier said than done. So here are some practical suggestions for creating strong passwords and making them stick.
Build a Good Password
The key to building a good password is to start with something you know and build off of it. For example, start with the word “orange” in the example below and then munge it to add extra security:
- Base Word: orange
- Add Numbers: o7ran3ge
- Add Capitalization: O7ran3Ge
- Add Symbols: O7r+n3G=
The above password, according to Microsoft’s Password Checker is “Strong” and can be easily made “Best” by adding six additional characters, perhaps by including another word. However, since not all sites or services allow more than 8-10 characters in their passwords, it is important to start with a shorter one that is secure and expand it if desired.
This creates a password that, with very little effort, can be memorized and reused while still being very secure. Though passwords created this way are not perfect, this is because they are not completely random, they are more secure than jotting down passwords or having to routinely use “forgotten password” features on sites.
Create Different Passwords
Once you’ve created a highly secure password, it is important to create variations of it. The reason is two-fold. First, using the same password on multiple sites creates a security risk. Second, even if you are comfortable using your password at multiple locations, not all sites will allow you to use symbols or capitalization in your password, essentially forcing you to pick a weaker password.
There are two easy ways to do this, the first is having different levels of security for the sites you visits. For example, your banking account should have the highest level of security, meaning the final password, but a forum you join might not be as important so you could use one of the weaker passwords, such as “O7ran3Ge”. However, it is important to change it so that one with that password could not make a guess at your more secure one, so you may choose “OranGe73″ instead to keep it memorable.
You can also have a “throw away” password for sites you do not trust and do not plan to give any important information to, such as a blog you are visiting just once. These passwords can be very insecure but still should not be easily guessable. For these, a pet’s name or a pattern of keys on the keyboard may make sense.
Variations on a Theme
An even more secure suggestion for creating multiple passwords is to base each password on the site you are visiting. For example, if you were to log into this site, you might begin with the first four letters in the domain.
- Base characters: blog
- Shift the Letters One Left on the Keyboard: vkif
- Add Numbers: 1vkif3
- Add Capitalization: 1VlIg3
- Add Symbols: 1V+kIf3%
If you can remember the pattern of how the password is created, you can easily create custom passwords for every site you register for and no two sites will have the same password. (unless they have a similar domain). Best of all, the system degrades well. If a site doesn’t allow non alpha-numeric characters, you stop at the third step.
The problem with this system is that it might slow you down, especially on sites you don’t visit a great deal as you will have to work backwards to “figure out” the password rather than simply remember it. Still, it may be a small price to pay for security.
Add a Second Layer
However, even better than building a better password is adding a second layer of authentication. This adds a layer of protection beyond what you can remember (or figure out) and connects your accounts with something that you have on your person. This also adds a layer of protection should your password be phished or otherwise stolen.
A good example of this is the PayPal Security Key. This allows you to choose between either using a keychain, which displays a series of six ever-changing numbers, or receiving text messages on your cell phone.
You can also use the keychain with Verisign’s Personal Identity Provider (PIP) service. This lets you log into sites that accept OpenID. This includes an increasingly large number of sites. You can even install a WordPress plugin that allows you to login with your OpenID, thus letting you use your keychain with your own site.
However, there are many systems that allow you to have two factors of authentication and many banks require one of them. Which factor you choose will ultimately come down to what your current service accepts, as frustrating as that is.
Bottom Line
In the end, there’s no magic bullet to good password protection. You just have to use solid, easy-to-remember passwords and be careful who you give them out to. Be smart with your passwords, practice good security on your computer and you will likely be fine.
However, one final suggestion, for those that want the most secure passwords possible, take a look at the Perfect Passwords system at GRC.com and, while you’re at the site, check out the Security Now! podcast, which a great resource for security-related issues.
it is also where many of these suggestions came from.
However, passwords aren’t rocket science, they just take a little bit of planning and a willingness to trade convenience for security, at least a little bit.
If you enjoyed this post, make sure you subscribe to my RSS Feeds !!
If you enjoyed this post, make sure you subscribe to my E-NewsLetter !!
Posted By: KirubaKaran
Microsoft Certified Professional