Home arrow 5 Minute Tips arrow General arrow How Predictable Are You
How Predictable Are You Print
Saturday, 22 May 2004
Although this article sounds like a survey from Cosmo. It's not. More to the point, how easy is it for someone or something to guess your passwords? While you may have a password no one will guess, that doesn't mean a computer program won't.

I'm going to go out on a limb here. I'll bet you haven't recently changed your passwords for your online services such as email or websites unless your company has a policy that forces a change.

If you haven't changed your passwords, do it now. There have been a couple of security breaks into popular sites. My suggestion would be to change them for all services, as it will make the task easier. In fact, you should set up recurring task to remind you every 90 days or so to change your passwords.

When choosing passwords, please don't fall into the habit of using the same words or common ones. Most hackers rely on this behavior and use "brute force" password cracking programs. These programs start with entering English words from a dictionary list and then expand outwards. One way to stall these programs is to use nonsensical or non-English words and the keys above the numbers key on keyboard such as the tilde, percentage, and so on. Just adding these extra keys dramatically increases the time it takes one of these programs to crack your password. Hackers are like most of us; they'll take the easy route and will not spend the extra time to get into one system when they could easily get into several systems in the same time frame.

Keep in mind that the people who try to break your password are either using a computer program which can try many combinations or people that know you. One has the advantage of raw computing power, the other of your patterns and likes. Here are some guidelines.

Password Guidelines

1. Use the upper limit length of a password field. For example, if the password must be between 6-12 characters, choose 12.

2. Don't use either all numbers or all letters unless its a requirement. Try to mix letters with other characters.

3. Don't use numbers with emotional or logical attachment such as birthdays, tax ID numbers, phone numbers, license plates etc.

4. Don't use words found in the dictionary.

5. Don't spell words backwards or simply add a number

Although these rules may sound daunting, there are some tricks to using them. One of my tricks is to think of some descriptive phrase about the service. I find the more absurd, the more apt Im to remember it. As example,

Why does my Bank charge me to cash coins?

After I have the phrase, I convert it to a password by using the first letter of each word (see bold letters). You might notice I capitalized the word bank to add another upper case letter. I also try to convert words to numbers where I can such as the word to. The end result is:

WdmBcm2cc?

Once you've come up with your password, you might want to check a similar one to see how strong it is. There are several web sites that will judge your password. One source we like is Security Stats. The site offers a password strength meter as well as other security tips and tools.

Additional Resources

Password Strength Meter

Creative Commons License
This work is licensed under a Creative Commons License.

Last Updated ( Saturday, 26 August 2006 )
 
[ Back ]