The first Thursday in May is World Password Day.
The idea for a special day encouraging people to update passwords was the brainchild of security researcher Mark Burnett, who suggested people set aside a day to change important passwords in his 2005 book Perfect Passwords. Intel Security took the next step, declaring the first World Password Day in May 2013.
Internet security has changed over the years. As computers have become faster and more powerful, the internet has become more ubiquitous, and hackers have developed more sophisticated practices, programs, and algorithms to hijack your data.
There are now several competing schools of thought as to what makes a strong password. Before we start sorting that out, though, let’s look at some of the widely-agreed-upon worst practices:
Stupid-simple passwords: Believe it or not, there are still millions of people out there who think “12345”, “qwerty”, and “password” are viable options for protecting their data.
Using the same password over and over and over, for site after site after site: If the hackers get one password, they have them all. (Using the same password with a few extra symbols tacked on beginning and end doesn’t help much.)
Short is not sweet: In the early days of computing, a six-letter password was more than adequate. Now a nine-letter password is the bare minimum, and a lot of experts recommend they be a lot longer.
All Uppercase/All Lowercase: Having a mix of upper and lower case letters makes it just a wee bit harder for the bad guys to crunch your code.
Using personal information in your password: This includes any personal information, no matter how obscure you think it may be. Birthplace, birth date, your name, the names of any of your friends and relations, the name of the beloved pet dog that died ten years ago, and especially not your social security number.
So how important is it to generate a strong password? John Sancenito, President of INA Security in Harrisburg, shared with us a graph showing the results of a password breaking test by their Digital Forensic Laboratory:
The test was conducted with what’s known as a brute force attack, where special software enters numbers, letters, and special characters until the password breaks. As you can see, making the password more complicated makes it progressively harder to crack. (Presumably, the last result required some extrapolation of their data.)
How, then, do you go about crafting a password that’s less likely to crack under pressure? Well, there are some things security experts agree on, and some that are matters of debate:
The longer the better (within reason of course): As mentioned above, nine letter passwords are now considered the bare minimum. Sixteen letter passwords are becoming more the norm. How far can this trend go? Some web pages will accept up to sixty-four letters, and we may end up there someday. For now, though, nine to sixteen letters are a good start, at least until five-thirty tomorrow morning…
Randomize, randomize, randomize: Making your password random may well be the best tool for slowing down the malefactors. The best way to create a random password is hotly debated. Some popular methods:
Instead of a password, create a passphrase: Take a sentence, like “I watch abc27 news.” But remove the spaces to make it “Iwatchabc27news.” Or, turn words into shorthand or deliberately misspell them (i.e. “eyewachabeec27nws”) and add numbers and/or symbols “9eyewachabeec27nws+”; There’s enough of the original phrase there to jog your memory, while being much tougher to break than “gooddogLassie.”
Three/four random words: In the last few years, Britain’s National Cyber Security Centre has been promoting a new method of generating passwords. It’s really quite simple-pick three words at random and string them together. No muss, no fuss, and surprisingly, it’s pretty resistant to hacking. Some people are now going with four random words, on the theory that more is better. Of course, a lot of websites insist on including numbers or symbols in a password, but tacking a few of them on will just make the password stronger.
Random password generator: Don’t feel like figuring out a random password yourself? There are random password generators on the web. They vary in quality; with some, you can only tell it to generate a password, others allow you to set parameters like password length. A word of warning though — there is a lot of concerns about safety and privacy with a lot of these sites, mostly centering on whether they save copies of your passwords.
Password deny list: Okay, so you think you’ve concocted the strongest, most unbreakable password in the history of the internet. But what if someone has already used it? Worse yet, what if that password got vacuumed up by the bad guys in a database break-in somewhere? Before you put a password into use, you might want to search “password deny list”. There are people out there who have compiled lists of passwords that have been compromised by cyberattacks. Enter your newly coined password, hit search, and find out if it’s on any of these lists. It might save you a lot of grief.
Saving passwords: In the early days of computers, the mantra was “never write down a password.” The big worry was that some ne’er do well in your office, school or wherever might see your password on a slip of paper at your desk, and appropriate it for nefarious purposes. You were supposed to commit your passwords to memory. This was fine when you had, perhaps, six passwords to worry about; but when you get up to sixteen, or sixty, or even more, memory becomes a bit unreliable. Plus, the big worry now isn’t the troublemaker in the office, it’s the troll at a keyboard halfway around the world. If you’ve reached the point where half your computer time is spent resetting forgotten passwords, writing them down just makes more sense. Given the troll halfway around the world, saving passwords as a document on your computer is not your wisest move. Instead, you might want to go low-tech, and write them into a notebook, or put them in a box of 3×5 cards. (Easy to sort that way.) The important thing is still to keep passwords where others can’t see or get to them. Wherever they are, they’re your responsibility.
Password managers: If you have a lot of passwords to herd, and you’re not too keen on the “write them down” approach, you might want to look into password manager programs. Such programs will store your passwords in a secure file, and issue you a special password (usually randomly generated) so you can log into the program. Once you log into the program, you can happily waltz from website to website without having to log in to each location separately. These programs are becoming increasingly popular. Of course, you should do some research before selecting one, to find out which has the features that best suit your needs.
Two-step verification: Another technology that’s taking off in a big way. You start your login process and enter your password. The program will then issue you a code, either by email or phone, which you must enter to continue on to the site. It slows down the process of getting online just a little, but it makes your data much more secure.
So, whither the password? Some people are predicting within a few years the password will be as passe as the 3-and-a-half-inch floppy disk. People will log in to the internet using a thumbprint, a retinal scan, or even DNA sampling. But I suspect there will be holdouts still using passwords long after these new technologies mature. Besides, if there’s a problem with a password, you reset it. How do you reset a thumbprint, retinal scan, or DNA sample?