Good password practices

Passwords, and why the heck are they so important?

Everyone has passwords, some have only a few, and some of us have bunches of them. In some cases, literally hundreds or thousands to manage, and let me tell you it’s a pain in the rear. However, password management is not the main thing this article is about, although it pertains to the subject. No, what I want to talk about today is the area of good passwords, strong passwords, passwords that will defend your server and shun any attack by the bad guys that try to get in while you are away playing Quidditch. I have seen lots of passwords in my day, and let me tell you that there are lots of servers that could be compromised using either “ncc1701” or “corona”.

Assuming you secure your server, have firewalls and all of the normal items in place to defend your network, passwords can be thought of as the last line of defense. Network security remember, should be applied in layers, not just a firewall or just good passwords, but layers of good measures to protect your data.

When it comes to passwords though, they need to be long, complex and unreadable. Yes, it’s true, stop whining. When thinking of that great password you will use for your uber secret admin account, don’t pick something that is a known word or phrase, like “yellowstone” for example. You might look at that and think it’s 11 characters, it’s a dandy of a password. You’d be wrong. First, it’s a common word or phrase, next it has no numbers or special characters in it. Ok, you say, let me trump up some of those vowels with numbers and special characters then, how about “y#ll0wst0n#”? Well, even though that is better than the first, a cracker performing a brute force attack would be through that password in about 3 seconds.

You see, they already have algorithms that swap special characters for vowels, and the like. If it’s a known word, or phrase, or combination of words, they’ll figure it out. The same with numbers. Any all number password, regardless of how long it is, is doomed to being cracked. It comes down to a matter of time, based on how fast the crackers computers are; and nowadays we are probably talking minutes at most.

So, you know you need a password that is at least 10 characters long, 14 to 16 is better, and it can’t be a number or a readily readable word. Well, how the hell am I supposed to remember that then, you say? Glad you asked my friend! One answer is that you don’t try to remember them all, there is a great tool called PasswordSafe, it’s free and open source, that keeps all of your passwords in an encrypted database. You only have to remember the key to get into the database, and can then simply store your passwords in there.

Another thing that I do, is to generate passwords randomly, especially if I am going to put it into my PasswordSafe database. However, if it’s one I will have to use or remember, I have a cool technique for creating passwords, and I am going to share it here. What I do is use song lyrics, although you can use lines from a movie if you want, or basically anything resembling that kind of dialog, that you can remember. For this exercise, I will use a line from a Spin Doctors favorite “Margarita”.

What you do, is start by taking the first letter from each word in the verse you chose (or movie dialog, or whatever). In this case, the part of the chorus I want to use is:

I’ll take the salt from my wounds, and put it in my margarita.

Using this verse, the start of my new password would look like:

ittsfmwapiimm

Already we have a long, non-readable and easy to remember password. However, if we now employ some vowel switching and number/special character placing, plus upper case, we can make one that is ultra hard to crack. What if I came up with something like this:

Ittsfmw@p11MM5

Now we are talking. That would be a pretty tough password to crack, plus it is much easier to remember than a randomly generated password. Let’s compare to one I generated randomly:

,pN]RyX1E~H

That one would be tough to crack, that’s for sure, but you’d not have an easy time trying to remember it. Like I said, if all I am going to so is stick the password in the database, and I know I am not going to be trying remember it or type it in (you know, I can cut and paste), I’ll generate them. It’s much quicker than trying to come up with them on your own, especially if you have a lot to do, which I sometimes do.

However, in other cases where I might know I want to remember it, or at the least will be typing it in, I’ll create one manually like the way I showed you above.

So now you know, store any passwords that you have to in a secure place. Yellow stickies on the monitor are not the place! Plus, use long, complex and hard to read passwords, not common words or phrases. Be sure to not use the same password over and over with multiple accounts too, that way, if someone did get your password somehow, they can’t get into everything still, just that one account. I hope this clears up some of the importance of passwords, and especially good passwords!

6 thoughts on “Good password practices

  1. I don’t know how many times I have had to repeat to myself, “In the time of the monkey I was a …..” What was I? You know.

  2. Hi.
    Good to see you recommending a Password Safe – you’d be surprised how many “strong password” posts I read that never even mention password managers (amazing).

    Keepass is another tool which is pretty popular. And there is also new breed of online password managers (that’s where I step in, I’m a co-founder of PassPack). Online services give you 24/7 access without toting around a USB key chain. They can be pretty useful for storing website passwords as they usually offer some sort of web auto-login feature.

    Here is an online vs. offline comparison post:
    http://passpack.wordpress.com/2007/01/29/online-vs-offline-password-managers/

    Cheers,
    Tara

  3. Hi Tara,

    I forgot about Keepass (http://keepass.info), that’s another good tool for managing passwords, thanks for mentioning it.

    The idea of online password management hadn’t occurred to me, but it’s an intriguing thought. I suppose in some cases it would depend on what you or your customers requirements were. I can see there would be instances where that would be handy, although, since you can’t always count on an Internet connection, combining that with the good old thumb drive helps round out robust solution.

    Thanks for the information!

  4. Mack,

    Yeah, I know 😛 You might want to go change any passwords based off that if you are still using it, since you posted that much here. I am sure I am not the only Beck fan out there!

    Thanks

  5. Pingback: Protect your passwords! | Solarum - Information For Everyone

  6. Hi Laz,
    Yup, online password managers are fairly new since they are based on Host-Proof Hosting, which is an Ajax pattern.

    It’s pretty handly for people that move around between two or three computers (home, work, laptop) where they know they have a connection, but don’t want to have to sync up all the time. I also think some couples/families are using PassPack so that they can share the common “household” passwords in one safe place.

    PassPack supports CSV import and export, and I’ve heard of some folks using that to move data back and forth to Keepass on a USB. We’ll eventually add some sort of offline version as well, but I don’t have a schedule for that.

    What’s fascinating is how creative people are – give them a tool and they start molding it to their lives in ways you never could have imagined. It’s pretty neat.

    Cheers!
    Tara

Tell me what you are thinking?