Passwords: How to Choose a Good One |
| by Oscar Sodani | |
| March 18, 2003 | |
|
Passwords -- if you're like me, you've got dozens of them to remember. Bank machine PINs, network passwords, phone card Pins, e-mail passwords, and those ever-present web site passwords. How can a normal person keep track of them all? At last count, I have over 40 passwords that I keep track of -- let me show you my simple secret. In this article, you will learn:
The Password Trifecta There are three types of passwords you should keep. One is the PIN number variety, for those phone cards and bank machines. The second is a simple password, used for entry into systems that are not very secure, like web sites and e-mail. The third is a longer, more complex password for access into high-security systems, like your corporate network and your online financial data. Passwords You SHOULDN'T Choose When you choose a password, it shouldn't contain any information that a professional hacker has access to. For instance, if a hacker steals your wallet/purse, or gets into your trash, they will know what your birthday is, your address, your kids' names, and your middle name. These are the first passwords a hacker will try when they target you. In general, keep away from:
You should choose a password that will only make sense to you. We'll give you suggestions as we explore the three types of passwords in depth: The PIN (Personal Identification Number) A PIN is usually used at public machines, like a bank machine or a phone booth. Pins normally are four-six digits long. I use a four digit PIN, because I can then use the same PIN for my bank card, my phone card, and others. Your PIN should be something that only you know the meaning of. Maybe it is the address of your favorite restaurant. Maybe its the number of miles in your car at the last checkup. Maybe its the number of the cross-town bus you take to work, or the apartment number where you grew up. In any case, choose ONE PIN, and use that number for every PIN in your life. The Simple Password Let's face it -- we're asked for passwords in places where they really aren't necessary. Even if the password is stolen, the information the hacker would get isn't THAT important. For me, these low-security systems include my Yahoo e-mail password, my AOL Instant Messenger password, and the password for all those silly web sites that make you register with a userID. Once again, we're going to choose one password for all these low-security systems. This password can be just letters, just numbers, or a mixture of both -- it's up to you. However, it is again important that only you can decipher the meaning of the password. You can choose the name of your favorite sports hero (MCGWIRE). Or your favorite actor/actress (HARRISON). How about the name of a character in a favorite book (BILBO). Whether it is the lead in the local production of Swan Lake or the name of the drummer in KISS, you can't go wrong as long as the password is short and easy to remember. Using a password that is memorable only to you will thwart all kinds of invasive attacks. After all, how would a hacker know that you are a closet KISS fan? The Complex Password This is the BIG one. If you have personal information that you really don't want others to get at, this is the password you'll use. I especially recommend it for corporate networks. Even if you don't care that a hacker has access to the network, your boss most certainly will (and guess who gets in trouble?) This password should always be a combination of letters and numbers. Furthermore, it should be different than the simple password you chose above. Let's say I'm a big Star Wars fan -- I can choose SKYWALKER as my base word. Then, I should add some numbers to it. Star Wars came out in 1977, so I can make my password SKYWALKER77. If I wanted to make it even more secure, I could put the numbers in the middle of the word, i.e. SKY77WALKER. This is a very secure password, and it will be easy to remember. Other examples: You get the idea. No matter what, the password should be easy to remember. If you want, you can choose a random word, like UMBRELLA, and turn it into a complex password: UMBRELLA1492. No one is going to crack that one! Special Circumstance: The Ever-changing Password Some companies will force you to change your password, every 30 days or every six months. I agree with this policy -- it is a good way to keep a network extremely secure. Since you already have a number in your complex password, you can just increment that number every month. For instance, if I choose 76TROMBONES, I can change it the next month to 77TROMBONES, and so on. Still secure, and still easy to remember. Security OK, now you have three passwords that you are ALWAYS going to use. They satisfy your security requirements without causing your brain to go numb by having to remember a million different passwords. Now don't go giving all that security away by storing those passwords in your wallet/purse! Remember, if a hacker wants to get into someone's life, the first thing they do is steal your wallet or purse. They know that most people are foolish enough to write passwords down somewhere. If you MUST write your passwords down, the best place for them is a security deposit box. Well, maybe that's a little extreme, but you should at least hide them in your home in an inconspicuous place. DO NOT hide them in your car. Cars can be stolen. Entire homes can not. And of course, NEVER give your password to ANYONE. Especially over the phone. As a network administrator, I am always surprised by the complete willingness of people to give me all kinds of personal information over the phone. Don't do it. I hope this helped to settle your password chaos. Remember those three passwords and your life will be that much simpler. |