Search

Subscribe

Enter your email address below to subscribe to our privacy and security newsletter.

Menu

• Home
• Business/Corporate
• Computer Security
• Digital Signatures
• Encryption
• Firewalls
• Intrusion Detection
• Just Plain Silly
• Personal Security
• Privacy
• Residential Security
• Security Blogs
• Security Consultants
• Spam/Anti-Spam
• Training
• Uncategorized
• Viruses
• Wireless Security

Perfecting Your Password Policy

By Ian Scott

“I need to remember my password, so I keep it simple and easy,” I’ve heard many folk say. “I’ve been told to never write it down, so it has to be memorable.”

Just about anyone who uses a computer these days has had to create a password for something at some point. Whether it’s a password for their user account on their PC or a password for a website bulletin board, password requirements are ubiquitous.

How should one select a password? How secure is “secure?” And is it true you should never write your password(s) down?

Traditionally, a password is a series of letters, numbers and symbols between 6 and 8 characters long. Although they exist for similar purposes, a pass phrase is not the same as a password. Pass phrases are in general considered more secure than a password and are usually several times longer than a password. Pass phrases are not always acceptable though for many applications and we’re often asked for a password between 6 and 8 characters long.

How Secure Should My Password Be?

This question is kind of like asking how much you should spend on a lock to secure something. What are you securing, and how valuable to you is it? When passwords are required, we are usually securing some userspace and data. And it’s my opinion that not all such userspaces or data need strong protection. For example, if I set up an account on a website with a bulletin board where I’m unlikely to ever post at again, I’m generally not too concerned about the strength of a password I’m creating. If that website however stores some of my personal information, then I very well may be more concerned about the strength of my password.

The value that you place on the data or userspace you are protecting should determine the strength of the password that you use. However, you should also be aware that you may be undervaluing the data that you are protecting. For example, I have conversations with many people who say things like, “Well, I’ve got nothing to hide so if someone breaks into my email account, they are not going to get much information about me.”

Be very careful about thinking like this! An intruder into your email account may get enough information about you, your plans, travel arrangements, etc that would be enough information to know a good time to break into your house, for example.

At the same time, risk analysis can be applied - perhaps to you the risk of something like this occurring is minimal as you’ve got nothing in your house to steal anyhow. Personally, I’d like to see more people using PGP and or GPG with their email communications which offer almost iron clad protection against email snoopers. I say “almost iron clad” as nothing is guaranteed - if your private PGP/GPG key is compromised and your passphrase is weak, it still may be possible for someone to decrypt your communications.

How Secure is Secure?

Many people choose passwords based on their pet’s name, the name of their spouse, their maiden name, or some favorite word. These types of passwords offer no security whatsoever. An 8 letter word out of the dictionary could be compromised within seconds by an intruder using a “dictionary attack” on your account. There is software available that will load words contained in dictionaries and additionally first and last names that will attempt to break into an account by matching up a username with all of the words from the lists.

Perhaps one of the better known password crackers is “John The Ripper,” which offers several different methods for password cracking attempts and those who use it (there are legitimate uses for password cracking) say that it is very fast especially on weak passwords.

For better security, it is best to choose a combination of letters (upper and lower case), numbers and symbols such as the exclamation mark (!) in a password.

Should I Write My Password Down?

You will find a lot of debate about this question. And in reality, the answer depends. If the data you are storing is such that you’d never want anyone to ever come across it, or decrypt it even after you’re dead, you should seriously consider GPG or PGP to encrypt your files and email (and then use an email application that will store the emails encrypted after you’ve decrypted, read and then closed them).

Some organizations have a policy that if you are using their systems, you are required to commit your password to memory and never write it down on paper. I don’t agree entirely with this policy and believe that there are legitimate reasons for writing down your password and then keeping that password in a safe place.

What legitimate reasons could there be for writing down a password?

I administer a number of different servers and I have passwords to them all. There is no way I could remember all of the passwords that I require to have to get my work done. I therefore store these passwords in a file that is then encrypted using GPG.

Others have written out their passwords or passphrases on paper and store them in a safety deposit box. Should illness, accident, or death occur and someone needs access to some information or some userspace, then the password or passphrase can be retrieved under those circumstances by another person designated by the individual to do so.

If you decide that in order to use your password or passphrase, you need to write it (them) down, you do need to decide and think about where and how you will store that bit of information and who, if anyone, should have access to it should the need ever arise.

Other Password Considerations:

Try to refrain from using the same password wherever you are asked to create a password. If that password does get cracked, it will be quite easy for the cracker to get into anything else that you’re trying to protect.

Consider changing your important passwords on a regular basis. If someone has cracked your password and if you change it on a monthly basis, they will have access for only as long as that cracked password exists.

If you have multiple passwords, considering using an application like “Password Safe” for Windows or, if on a Linux system, using the KDE Wallet. Both will store passwords in an encrypted state and only require you to remember a single password in order to have access to all of your passwords.

Read more in: Computer Security, Encryption, Personal Security |

© SecPriv.com | About/Disclaimer | Privacy Policy