Password Security - Good Passwords V Bad Passwords

One of the biggest problems a website hosting company faces is making sure that clients understand the need for secure passwords so accounts are not compromised by weak scripts and spammers.

I always tell clients that not only should a password be hard to guess as a weak password is rather like a lock made out of paper or plastic but passwords are like Dirty underwear and should be changed frequently.

Choosing the right password is something that many people find difficult, there are so many things that require passwords these days that remembering them all can be a real problem.

This page is designed to help clients choose good passwords for their scripts and databases

Password Basics

Passwords should be AT LEAST eight (8) characters and if possible they should be longer.

• Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.
  
• One of the most common mistakes made is to use a word either found in the Dictionary or something related to the site
  
• Never use the same password twice. So that you can track all the different passwords why not use something like Aurora Password Manager
  

Things To Avoid when Creating a Password

• Don't just add a single digit or symbol before or after a word. e.g. "apple1"
• Don't double up a single word. e.g. "appleapple"
• Don't simply reverse a word. e.g. "elppa"
• Don't just remove the vowels. e.g. "ppl"
• Key sequences that can easily be repeated. e.g. "qwerty","asdf" etc.
• Don't just garble letters, e.g. converting e to 3, L or i to 1, o to 0. as in "z3r0-10v3"
• Choose a password that you can remember so that you don't need to keep looking it up, this reduces the chance of somebody discovering where you have written it down.
• Choose a password that you can type quickly, this reduces the chance of somebody discovering your password by looking over your shoulder.

Bad Passwords

Don't use passwords based on personal information such as: name, nickname, birthdate, wife's name, pet's name, friends name, home town, phone number, social security number, car registration number, address etc. This includes using just part of your name, or part of your birthdate.

Don't use passwords based on things located near you. Passwords such as "computer", "monitor", "keyboard", "telephone", "printer", etc. are useless.

Don't ever be tempted to use one of those oh so common passwords that are easy to remember but offer no security at all. e.g. "password", "letmein". "changeme" "opensesame"

Never use a password based on your username, account name, computer name or email address.

Choosing a password

When choosing a password use a good password generator such as http://www.passwords.org.uk/index.php

Use the first letter of each word from a line of a song or poem.

Alternate between one consonant and one or two vowels to produce nonsense words. eg. "taupouti".

Choose two short words and concatenate them together with a punctuation or symbol character between the words. eg. "seat%tree"

Changing your password

As I have previously mentioned passwords are like Dirty Underwear you should change them frequently and never share them

You should also change your passwords (in the same way as Pin numbers) whenever you suspect that somebody knows it, or even that they may guess it, perhaps they stood behind you while you typed it in.

Remember, don't re-use a password as someone might have a note of it and try it out

Protecting your password

Although it is very easy to do and we are all guilty of it in one way or another you should NEVER store your password on your computer except in an encrypted form. Note that the password cache that comes with windows (.pwl files) is NOT secure, so whenever windows prompts you to "Save password" don't.

Don't tell anyone your password, not even your system administrator

Never send your password via email or other unsecured channel

It is perfectly acceptable to write your password down but don't leave the paper lying around, lock the paper away somewhere, preferably off-site and definitely under lock and key.

Like PIN numbers you should be very careful when typing in your password especially if you are suing a public computer for some reason to make sure nobody else sees it.

Remembering your password

Remembering passwords is always difficult especially with so many of them nowadays along with security questions and pins and because of this many people are tempted to write them down on bits of paper. As mentioned above this is a very bad idea. So what can you do?

Use a secure password manager

Use a text file encrypted with a strong encryption utility.

Choose passwords that you find easier to remember.

Bad Examples

below are a list of passwords that we have seen being used by hosting clients

"fred8" - Based on the users name, also too short.
"christine" - The name of the users girlfriend, easy to guess
"kciredref" - The users name backwords
"indescribable" - Listed in a dictionary
"iNdesCribaBle" - Just adding random capitalisation doesn't make it safe.
"gandalf" - Listed in word lists
"zeolite" - Listed in a geological dictionary
"qwertyuiop" - Listed in word lists
"merde!" - Listed in a foreign language dictionary

Good Examples

None of these good examples are actually good passwords, that's because they've been published here and everybody knows them now, always choose your own password don't just use somebody elses. Instead of using single words for passwords use a PassPhrase such as "3rdmarriage2ndtimeofasking" pr "mItWdOtW4Me" - Monday is the worst day of the week for me.

Remember when creating a password use the ENTIRE KEYBOARD include punctuation, capital letters, numbers, symbols, etc

How would a potential hacker get hold of my password anyway?

There are four main techniques hackers can use to get hold of your password:

Steal it. That means looking over your should when you type it, or finding the paper where you wrote it down. This is probably the most common way passwords are compromised, thus it's very important that if you do write your password down you keep the paper extremely safe. Also remember not to type in your password when somebody could be watching.

Guess it. It's amazing how many people use a password based on information that can easily be guessed. Psychologists say that most men use 4 letter obscenities as passwords and most women use the names of their boyfriends, husbands or children.

A brute force attack. This is where every possible combination of letters, numbers and symbols in an attempt to guess the password. While this is an extremely labour intensive task, with modern fast processors and software tools this method is not to be underestimated. A Pentium 100 PC might typically be able to try 200,000 combinations every second this would mean that a 6 character password containing just upper and lower case characters could be guessed in only 27½ hours.

A dictionary attack. A more intelligent method than the brute force attack described above is the dictionary attack. This is where the combinations tried are first chosen from words available in a dictionary. Software tools are readily available that can try every word in a dictionary or word list or both until your password is found. Dictionaries with hundreds of thousands of words, as well as specialist, technical and foreign language dictionaries are available, as are lists of thousands of words that are often used as passwords such as "qwerty", "abcdef" etc.