Out of the many authentication methods available, biometric, security tokens, smart cards, public and private cryptographic keys, etc, passwords are one of the most common forms of authentication, especially on small private networks, such as those utilized by home users and small businesses.
Considering that we rely on this string of text to protect some of our most valuable information, access to personal accounts, and key critical systems, it should not come as a surprise that we need to ensure that we select a strong password. Nothing in this world is perfect, and password authentication is no different. A weak password can easily be broken by anything from crude tactics such as guessing to advanced tactics such as a brute force dictionary attack.
So, what are the guidelines to making a password secure enough to defend your data? Well, there are many differing opinions on this. My goal is to share my opinion with you through this blog post, as well as some helpful tips on how to create and manage a list of strong passwords.
I feel that everyone should be using what is commonly referred to as a strong password. However, I believe that some applications of password authentication, such as on a mission critical server, should go even a bit further than your average strong password, so I’ll share two sets of guidelines with you. One for everyday computer use, and some additional tips that I would recommend to protect more confidential or invaluable data and systems.
Strong Passwords for the Average User
- Password Length- For a strong password for the average user, I would recommend a password that is at least 15+ characters in length. The more complex your password is, the more difficult it will be for software or a human to crack.
- Letters, Numbers, and Special Characters- I would strongly suggest including numbers and special characters (such as: !@#$%^&*(), etc) in your password. This increases the complexity of the password, and makes it more difficult to crack or guess.
- Avoiding Common Words or Phrases- One common password cracking tool is a dictionary attack. It utilizes a dictionary file in order to try common dictionary words against your password. In order to prevent your password from being broken in a dictionary attack, you should avoid using common words or phrases that might be found in a dictionary.
- Creating a “passphrase”- To take the concept of a strong password even further, you can elect to create a passphrase. This can be particularly effective because it will easily create a long password that is easy to remember. When you mix this concept with the other tips I’ve provided, you’ve got a very powerful password that will be very difficult to crack.
- Substituting Special Characters for Letters- Have you ever noticed how some special characters look like letters? ($=S, #=H, @=a, !=i, etc) Use this to your advantage by substituting these characters for similar letters in your password, or better yet, your passphrase. This will help to further protect you from dictionary attacks by obscuring what the words used in your passphrase actually are, at least as far as the software can tell.
Here are a few examples of strong passwords or passphrases.
z@c# !$ t#e m@n = Zach is the man
t#!$ i$ @ $+r0ng p@$$p#rase ex@mple 2! = This is a strong passphrase example too!
Of course you can choose to make it much more complex and you can get very creative with these.
Addtional Tips For Key Systems and Data
- Use An Even Longer Password– You may want to consider a password length of anywhere from 20-50 characters.
- Randomization– If you create a massive password with no clear patterns you’ll have something much more difficult for software to crack. It should still incorporate a mix of characters, in order to create the most variety while avoiding patterns.
These tips will create some very difficult passwords for either humans or software to crack, but how are you supposed to keep up with one of these, must less several? Well, I have a helpful recommendation for that, as well. I would recommend KeePass. It’s an open source password database. You use one strong password to control access to the database, and then store all of your multiple strong passwords in the database. Now you only have to remember one strong password, to access the multiple strong passwords for each site or computer on which you have an account. You can keep the database on a USB drive so you always have it with you and so that it’s not available for hackers to attack, it’s only available when you use it.
I encourage you to share your own tips on creating a strong password as well as tips on how to manage them.