Passwords in a Nutshell

My Password is "Password"

There's kind of an art to picking a password. It has to be strong enough so that it’s hard to guess, but it should also be easy to use. You have to balance security and convenience, and there’s a whole bunch of factors that can affect this (for example, if you have a registered account to a free site that contains no personal information, then convenience would probably take precedence over security).

What's a Good Password?

Let's look at the basics...let's assume that the information that you're trying to protect is pretty important. A good password should definitely not be a regular dictionary word—that’s way too easy to guess. A computer can just run through the a dictionary of words and/or permutations of those words to get the password. The other extreme is just having a bunch of random characters. Although it will be more difficult for a computer to figure it out, there’s a good chance that the user will forget it or just write it on a post it note. Random passwords tend to turn off users.

An Attack!

Here's a quick example of how a dictionary based password attack would work. Basically you just read through a text file and try that login and password combination on the authentication system that you’re trying to get by. It’s suprisingly easy to implement something like this.

Some Contingents

On the user end, simply use a stronger password. Don't use a dictionary based password. Replace alphanumeric characters with punctuation. There is still some danger in this, however. If there is a standard or common way of substituteing characters w/ punctuation, it would be easy to build another dictionary for such words. Pass phrases are another way of making your password difficult to guess. Instead of using just up to 8 characters, try using sentences/phrases. The longer the string, the more computational power has to be thrown at the authentication scheme to get the password. If the password authentication scheme doesn’t allow for 8+ characters, try using the first letter of every word in your pass phrase (like an acronym)... or every first 2 letters… or every last letter. Again, there I’m sure there are certain ways around this (maybe using dictionary words as building blocks for phrases, using "phrase dictionaries", etc.) or at least if not now, then in the future. However, for now, these seem like reasonably good ways of creating a password.

There is definitely a lot that can be done on the developer/admin end as well (luckily, a lot of these are implemented in some form or another in many systems). One could potentially get away with a weak password if the system only allows a limited number of failed authentication attempts before locking that user out and warning the administrator. Developers could allow for longer passwords thereby allowing pass phrases. Also, mandatory password changes, though potentially a huge inconvenience, may also help thwart password hacking attempts.

Resources