Passwords

Welcome to one of the many password blogs you can find on the internet, an old password of mine is ‘M9sn@T&T’ I will tell you why it is a good password as we go through this blog. This is primarily written for the customers of Passage Software, but I hope that it will be equally useful to anybody who uses passwords on a daily basis. I know not everyone who reads this will go and change their passwords straight away because who would possibly guess ‘qwerty’ or ‘12345’? But if one Passage Software customer realises what hackers are capable of and changes their password, than that is one lot of data corruption that I won’t have to deal with.

First off, if your password is the same as your username you should pack up your computer and give it to your boss, and tell him that you are not worthy of working in the 21st century. Passwords are meant to be a deterrent, to hinder anybody from getting at what said password is protecting. Granted that if somebody wants to get at it there isn’t a lot you can do to stop them, but you can make it so hard that it is not worth it. So, how to make a good password?

There is almost an industry standard checklist for how to make a secure password, and it will consist of everything I’m about to tell you, but it is important which is why I am telling you again. Let us think about the passwords you have, are they at least 8 characters? And do they contain upper and lower case letters with numbers and symbols? If not you should change them, did you notice mine does ’M9sn@T&T’. There is a reason every time you create a password the site or program tells you to use them, and that is to do with the way malicious programs guess passwords, they will start with ‘aaaaaaaa’ and then try ‘aaaaaaab’ and so on until it gets it correct, it is known as a brute force attack. Now the time it takes one of these programs to guess your password is fairly predictable, if you only use lowercase letters there are 208,827,064,576, that seems like a lot but in 2007 if you took an average computer and ran a program that would guess every combination of an 8 character password with only lowercase letters, it took about 60 hours compared with over 2 centuries if you were to include upper case, symbols and numbers. If you were to run that same program in an average computer of 2012, according to Moore’s law of computing it would take 15 hours, and that is a fairly conservative estimate. If you want to find the full table of results for this test have a look; here, http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/

Along with rules on how long a password should be (8 plus characters) and what it should include (alphanumeric with symbols), you should also avoid specific words as well. To start with your password shouldn’t be any thing that someone could pick off a form, so that is name, address, birthdate, reason you are attending the A & E today (probably only applicable to those who have teenage boys). Also avoid anything you have ever written on one of your social media sites, which includes friends names, pets names, favourite places, name of your work, bosses name, favourite sports, favourite shows, and favourite celebrities.

Another thing to be avoided, which sadly happens all too often, is using a dictionary word and then putting a number at the end. The oxford dictionary has roughly 171 000 words and when you add a single number to the end you aren’t making it that much more difficult. Now consider which number you are going to add to the end of the word, is it the number 1? I knew that because I can both see into the future and read you mind. But seriously if you are going to use ‘password1’ or ‘computer1’ then you aren’t much better than the person that is using their username. So here is your next rule, don’t use any word that appears in a dictionary.

The last selection of passwords that are off limit are any on a top 10, top 20, top 100 or top 500 list. These passwords are used by roughly 20% of people internet patrons and they will almost always be the first to be tested by somebody trying to guess your password and they could also be programed into malicious software
Please note: Symantec is one of the most reputable companies with regards to computer security, but in its list of the top 500 passwords there is some offensive language simply because they are very common passwords, in saying that many other top password lists will contain profanity as well.

Here is a trick that I use to remember passwords; ‘My parents’ names are Tom and Thyra’ change that to ‘My 9arents’ names @re Tom & Thyra’ which finally changes to ‘M9sn@T&T’ and ta da, my complicated password is an initialism. See it’s not that hard. But that’s not the only way to keep your passwords safe.

Remembering passwords is not an easy task, especially if you have a personal email, a work email, a Facebook, a LinkedIn, a Twitter and so on. It all gets a bit much. Sure you can use a single password, but once someone has one password they can find out what sites you are using, which email host you use and will be able to get into all of your accounts. So it’s best to change your passwords slightly, but then how do you keep track of which password goes with each site, right? That won’t be frustrating at all. Enter the password managers, they will keep track of all your passwords and you only have to keep track on a single master password. Some of the best password managers are ‘Password Keeper’, ‘KeePass’, ‘KeePassX’ and ‘LastPass’. How they work is you make one strong password that no-one knows, you use this password to login to your password manager and keep track of the URLs you visit, your username, your password, with many more options for them to remember. Most password managers come with built-in password generators, which will make a near impossible password for potential hackers to crack.
TIP: If you have multiple machines and devices (Smartphone, Tablet) you can store your database on an online storage file such as Dropbox, link all your machines and devices to the database on your online storage tool and have your passwords sync'd between all machines and devices.