Making
Passwords That
Are Easy for You to Remember but Difficult for Others to Guess
06/29/2015
A password should be
something that only you know so that
when you present the password it proves your identity.
But if passwords are easy for others to
guess, they can claim to be you and present the password to “prove”
they are
you.
Longer and complex
passwords are harder for others to guess,
but they might be hard for you to remember.
Writing them down on a Post-It note stuck
under your keyboard is not
safe. Neither is
putting them in a Word
or Excel document (even if the document has a password). So, here is a trick to
making passwords that
are easy for you to remember but difficult for others to guess.
Easy
to guess words
Any word in a dictionary,
your name (or part of your name),
your address, your phone number are all things that are easily guessed. Lists of the most common
passwords in a year are
published every year. I
have seen brute
force break in attempts at multiple customer sites where the hacker was
trying
several common user names (such as administrator, admin, root, manager,
supervisor, Ann, Bill, Charles, etc.) and thousands of passwords. These are called
“dictionary attacks”, where
a computer tries every possible password in its dictionary (and the
dictionary
is probably ordered in popularity order).
Computers
are good at guessing
(by brute force) because they can make a lot of attempts is a short
period of
time.
Complex
words
To get away from
dictionary attacks the password needs to be
complex by using a combination of upper case letters, lower case
letters,
numbers and special characters. People
tried making a password by substituting symbols for some of the letters
in a common
word. For example,
a password might be Tr0ub4dor
(that is a zero in the third character).
But they can be difficult for you to remember. “Let me see, was it
Trombone, no Troubadour. I
know there was a zero for one of the
characters and one was a capital, but I don’t remember which one.” And I have bad news for
you; the hackers are
aware of character substitutions and have loaded their dictionary with
them. We succeeded
in making passwords that are
hard for you to remember but easy for computers to guess.
Passphrase
A better way to make a
password is to make it a passphrase. You think of a phrase that
is easy for you to
remember but would be difficult for someone else to guess. It has at least eight
words (twelve or more is
better). For
example, the phrase might
be “I like to go to the beach every Friday.”
From the phrase you take the first letter of
each word to make a
password, using letters, numbers, and special characters to represent
each word
in the phrase. So
the password becomes “Il2g2tb@F.”
(without the quotes). It
uses proper
capitalization (this example starts with a capital I and then a lower
case L
and has a capital F for Friday) so it has upper case and lower case
letters. It uses
symbols to represent
words with a similar sound or meaning and has the sentence punctuation. So, it is complex, but
easier for you to
remember. It is not
anything in a
dictionary and not a common password.
Even
if someone were to get a glance at it, it looks like total
gobbledygook, so it
would be very difficult for them to remember (without knowing the
phrase from
which it comes). It
will be easy for you
to remember because each letter has a meaning.
OK, typing it will be
like trying to dial one of those phone
numbers that spell something (like 1-800-get out of jail). You have to think of each
word one at a time
and find the character for it. People
hate those phone numbers. So
why do
companies keep using them in advertising (and paying a premium every
month for
the number)? Because
they are easy to
remember. (Are you
going to remember 1-800-438-6885?)
Yes, typing the password will be a pain, but
only for a while. Through
repetition of
the procedure of typing the password, you will soon develop “muscle
memory”
where your fingers will type the password without much thinking.
Professional Services
If you need assistance with a security
assessment, IT Professional
Services can help. Please contact
us.
Find
out more about our Managed
Care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
|