Password safety

Passwords remain the most common means of authentication (proof of identity) for computer systems and web sites.   Authentication using biometrics (such as fingerprint scanning) and electronic tokens (smart cards) are becoming more common, but in most places passwords are the only barrier.

It has been estimated that the majority of information security breaches -- as much as 80% -- stem from persons picking "weak" passwords that are easy to guess, or from stolen passwords that are compromised because of poor password protection practices. 

Rules for strong passwords

"Strong" passwords are hard to guess -- either by a human or by a machine.  Humans guess passwords by what they know about you.  Machines guess passwords by trying likely words (a "dictionary attack") or just all possible combinations of letters and numbers (a "brute force attack").

Creating strong passwords requires doing the following:

  • Do make them long (at least seven characters, ideally longer).
  • Do include mixes of uppercase letters, lowercase letters, numbers and, where permitted, symbols like !@#&*.
  • Do include at least one symbol, ideally in the second through sixth position.
  • Do use at least four different characters (don't just repeat the same ones).
  • Do use different passwords for different systems.
  • Do change them regularly.

And it requires not doing the following:

  • Don't use all or part of the computer system/service name, your name, or nicknames.
  • Don't use words associated with personal characteristics that others may know (family names, pet names, addresses, telephone numbers, etc.)
  • Don't use a real word in any language, unless altering the spelling substantially.
  • Don't use consecutive letters or numbers on your keyboard (such as "abcdefg" or "1234567").
  • Don't use adjacent letters on your keyboard (such as "qwertyu").
  • Don't use numbers in place of similar letters to form the same characters (such as the number "1" for letter "l" or the number "0" for letter "O").

How strong is strong enough?  The more important it is to keep a particular device or system secure, the more attention you need to pay to the password that protects it.   So a password for, say, a public newspaper web site doesn't need the same attention as one that guards your online banking site.

Remembering strong passwords

If you follow all the rules above, you may have a hard time remembering your passwords -- particularly if you have a lot of them.  To aid your memory, it is often helpful to build a password from a phrase, based on an activity, picture, or something else familiar to you.  Use the leading letters of the phrase for the password:

  • Icra_bt  ("I can resist anything but temptation")
  • BB_sotwe  ("Biscayne Bay sailing on the weekends")
  • 4score+7ya   ("Four score and seven years ago")

Or you can use creative spelling to make a simple, weak password into a strong one:

  • 4+7equals11  (instead of "4711")
  • M_eyeAMe  (instead  of "miami")
  • Floor+duh  (instead of "florida)
  • Sun++shyne  (instead of "sunshine")
  • SPOT_mydawg  (instead of "spot")

DO NOT use the above mentioned EXAMPLES of strong password choices -- for the obvious reason that they are on a public web site.

Protecting passwords

Most of the rules for protecting passwords are commonsensical -- it's the same as protecting any other important secret:

  • Don't talk about a password in front of others (including hinting about the format).
  • Don't reveal a password over the phone.
  • Don't reveal a password in an email message.
  • Don't reveal a password on questionnaires or security forms.
  • Don't reveal a password to work colleagues (even when you're going on vacation).
  • Don't share a password with family members.

So, does that mean you can NEVER reveal a password?  We can't rule out all possible emergencies.   If you do end up revealing a password -- for a well-defined emergency, to a person you trust, for reasons you find compelling -- make sure you change it afterwards.

If there are passwords you wish to pass along to family or friends, should you be killed or incapacitated, you may want to keep a list of them in a safe deposit box.  This will also give you a place to find them, if you lose all other copies.

What about writing down passwords and keeping them in less secure places than a safe deposit box?  The best practice is not to do this.   But the practical reality may be that if you have a lot of passwords, you need to have them written down somewhere where you can get to them.  Just be sure you keep that document in a very secure location. 

Obviously that means not writing them down on a piece of paper kept in an easily-discovered location near your computer, for the same reason you don't keep your house key taped to your front door.

Learn more

Choosing and Protecting Passwords (US-CERT)
Concise summary of the rules for password security

Picking and Protecting Passwords (UM Privacy Project)
Click-through content on password security

Last modified: 08-Sep-2005 [RC]
 

   © 2002-2006 Contributing authors and University of Miami School of Medicine