Friday, 20 January 2012

How-to: Generate Good Passwords

Everyone thinks their on-line passwords are uncrackable. The bad news is that most plain text, alpha-numeric passwords don't last more than a few minutes under a brute-force, 'dictionary' attack.

More complex passwords, including letter-number substitution, such as passw0rd (with the O replaced with zero) are so-called 'leet-speak' passwords. These are no longer secure either and are starting to show up in dictionary attacks.

So you have to get a bit more creative for 2012.

The rocket scientists over at NASA created a set of best password practices to help protect their data, they include:
  • It should contain at least eight characters
  • It should contain a mix of four different types of characters - upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last character in the password.
  • It should not be a name, a slang word, or any word in the dictionary.
  • It should not include any part of your name or your e-mail address.
The problem with following that advice is that you create passwords that are impossible to remember. There are a few workarounds to create password mnemnonics that are easier to recall.

Security guru Bruce Schneir suggests turning a sentence into a password. For example, "Now I lay me down to sleep" might become nilmDOWN2s, a 10-character password that defies dictionary attack, so a hacker needs to resort to brute-force.

Developer and podcaster Steve Gibson of GRC.com and Security Now podcast suggests lengthening and obscuring passwords with punctuation characters. For example inserting a string of , or . into your passwords breaks up any pattern of alpha-numerics, again defying dictionary attack, and lengthening the pass string so that brute-force attacks take significantly longer.

Try to use a different password on every service, but if you can't do that, at least develop a set of passwords that you use at different sites.

This will make you more secure on-line (so long as you don't keep your master password list somewhere on-line. If you need to write them down, then do; but keep the list somewhere secure and don't put more than a hint next to it - don't list the account names. RC