One of the most important topics in security is creating good passwords.
OK, what is a “good” password?
- A password that is EASY for the user to remember.
- A password that is DIFFICULT for someone else to guess.
- A password that is DIFFICULT for someone to hack by trial and error, “dictionary lookup”, reverse-engineer, or whatever.
The problem is that - for most people - “easily remembered” passwords are based on common words - your wife’s name, your pet’s name, your grandkids name, your anniversary date, etc.
This is a problem because most - if not all - of these words are easily suceptable to being hacked fairly easily. Computers are fast, and “the bad guys” have sophisticated password hacking programs that love to eat these simple passwords for lunch!
OK, that would seem to leave us with passwords like “JUNK@45&1!zz” - not so easy to hack, but even more difficult to remember.
If a password is so wierd that users write them down on sticky-notes and paste them to their monitors, that password STINKS!.
So, what’s a good password?
- It should be (at least) 8 characters in length.
- It should contain both capital and lower-case letters
- It should contain one or more digits (numbers)
- It should contain one or more special characters (things like &%#@! - and so on)
- It should NOT contain words that can be easily “looked up” - dictionary words.
Items 1-4 are easy to do, but it’s item #5 that really kills us. We remember people’s names very easily, but they’re also easily cracked.
How do we bridge this?
reverse-order (or scramble) the letters of the word you want to use, in a way that is easily reproduced by you, but difficult for someone else to figure out.
“Key-Shift” (this assumes you’re a touch-typeist) You do this by moving your hands up (or down) one row on the keyboard, and then typing as if that were the “home row” - result is (apparent) gibberish that is easily reproduced by you.
(My favorite) - transliterate using a different alphabet:
Example: Let’s assume my wife’s name (in Russian) is Yelena. (not true, but it’s a good example)
In Cyrillic, it would look like this “Елена” (“E” is pronounced “ye”)
In “Latin” characters, I would think of it like this: “E” - “not-v” (upside down “v”), “e”, “h”, “a”
I would then create a password from her name like this: “E!veha”
This is good because
- “Eveha” is not a common “dictionary word”.
- Using the “bang” (!) to represent “not” is a common programmer’s notation, but not common in passwords.
If I add an aditional special character - and some digits - the password is even better. For example, say we were married in 1975, I could create a password like this “E!veha#1975” - which has lots of characters (more than eight), contains upper and lower case letters, numbers, and special characters.
It is also useful because it requires the potential hacker to know more than one piece of information.
(a) The “key words” you’re basing your password on
---- AND ----
(b) The special “encoding” scheme that you’re using to scramble the letters.
If the password has enough characters - you can even add the month you created this password, making it become “E!veha#1975-03”
If your native alphabet is non-latin (hebrew, hindi, thai, cambodian, etc.) you can write the word you’re using as your key in your native alphabet (it doesn’t matter if you write left-to-right, or right to left) - and then look at what you wrote… What latin letters does it look like? Does it look like any special characters? (the Hebrew “aleph” may look to some like an “x”, or a “%”)
Be creative! Just remember how creative you were - so you get it right!
Windows allows you to install differnt language keyboards - Russian, Polish, French, German, etc. - and it will be noted by a little box next to the clock in the system tray. If you switch to a non-English keyboard (French, for example), and type in your English password, you get gibberish (because the keys are in different places).
Good passwords are
(1) Longer than 8 characters (the longer, the better)
(2) Easy for YOU to remember
(3) Hard / impossible for someone else to guess
(4) Hard for someone to “reverse engineer” using hacking software.
(5) Contains both upper and lower case letters, numbers, and special characters.
Note that these example are not exhaustive - but should serve to stimulate thought - what’s obvious to YOU will (hopefully) not be obvious to the hacker trying to eat your lunch!