passwords

How do you prove that you are you, and that you are entitled to use a particular information resource? Computer systems authenticate identity and validate access privileges using three basic methods --

  • by something you possess -- the technical term is tokens,
  • by something you "are" -- using biometrics, or
  • by something you know -- such as a password and/or userid.

Passwords remain the most common means of authentication for computer systems and Web sites.   Authentication using biometrics (such as fingerprint scanning) and electronic tokens (smart cards) are becoming more common, but in most places passwords are the only barrier.

It has been estimated that the majority of information security breaches -- as much as 80% -- stem from persons picking "weak" passwords that are easy to guess, or from stolen passwords that are compromised because of poor password protection practices. 

The simplest passwords are just sequences of characters. If the user supplies the correct sequence, identity is confirmed. The "password space" is the set of all character sequences that are possible passwords, given the system's limitations (e.g., the maximum length of a "legal" password). The effective number of passwords is much smaller than this theoretical limit. Humans tend to select sequences that are easy to memorize, rather than random sequences of characters.

Since passwords tend to consist of familiar words, one common method of guessing them is the "dictionary attack." Repeated trial and error is used until the password is guessed by using a list of common words and word fragments. Limiting the number of incorrect password entries is one way to counter such trial and error probes. However, setting the error limits low can frustrate legitimate users with bad typing skills (and/or bad memories).

Urging users to pick more random, harder-to-guess-but-also-harder-to-memorize passwords tends to lead to another security problem: users write down their passwords, and the "attack" is to find the list. Since users tend to use the same password over and over again for all applications, finding it in one place can lead to vulnerabilities for many systems. (The same problem occurs when users are required to change their passwords often. Everything is changed, but to the same new password. And it is written down!)

All in all, passwords are a poor authentication method. They survive because they are still generally cheaper than the alternatives.

Rules for strong passwords

"Strong" passwords are hard to guess -- either by a human or by a machine.  Humans guess passwords by what they know about you.  Machines guess passwords by trying likely words (a "dictionary attack") or just all possible combinations of letters and numbers (a "brute force attack").

Creating strong passwords requires doing the following:

  • Do make them long (at least seven characters, ideally longer).
  • Do include mixes of uppercase letters, lowercase letters, numbers and, where permitted, symbols like !@#&*.
  • Do include at least one symbol, ideally in the second through sixth position.
  • Do use at least four different characters (don't just repeat the same ones).
  • Do use different passwords for different systems.
  • Do change them regularly.

And it requires not doing the following:

  • Don't use all or part of the computer system/service name, your name, or nicknames.
  • Don't use words associated with personal characteristics that others may know (family names, pet names, addresses, telephone numbers, etc.)
  • Don't use a real word in any language, unless altering the spelling substantially.
  • Don't use consecutive letters or numbers on your keyboard (such as "abcdefg" or "1234567").
  • Don't use adjacent letters on your keyboard (such as "qwertyu").
  • Don't use numbers in place of similar letters to form the same characters (such as the number "1" for letter "l" or the number "0" for letter "O").

How strong is strong enough?  The more important it is to keep a particular device or system secure, the more attention you need to pay to the password that protects it.   So a password for, say, a public newspaper web site doesn't need the same attention as one that guards your online banking site.

Remembering strong passwords

If you follow all the rules above, you may have a hard time remembering your passwords -- particularly if you have a lot of them.  To aid your memory, it is often helpful to build a password from a phrase, based on an activity, picture, or something else familiar to you.  Use the leading letters of the phrase for the password:

  • Icra_bt  ("I can resist anything but temptation")
  • BB_sotwe  ("Biscayne Bay sailing on the weekends")
  • 4score+7ya   ("Four score and seven years ago")

Or you can use creative spelling to make a simple, weak password into a strong one:

  • 4+7equals11  (instead of "4711")
  • M_eyeAMe  (instead  of "miami")
  • Floor+duh  (instead of "florida)
  • Sun++shyne  (instead of "sunshine")
  • SPOT_mydawg  (instead of "spot")

DO NOT use the above mentioned EXAMPLES of strong password choices -- for the obvious reason that they are on a public web site.

Protecting passwords

Most of the rules for protecting passwords are commonsensical -- it's the same as protecting any other important secret:

  • Don't talk about a password in front of others (including hinting about the format).
  • Don't reveal a password over the phone.
  • Don't reveal a password in an email message.
  • Don't reveal a password on questionnaires or security forms.
  • Don't reveal a password to work colleagues (even when you're going on vacation).
  • Don't share a password with family members.

So, does that mean you can NEVER reveal a password?  We can't rule out all possible emergencies.   If you do end up revealing a password -- for a well-defined emergency, to a person you trust, for reasons you find compelling -- make sure you change it afterwards.

If there are passwords you wish to pass along to family or friends, should you be killed or incapacitated, you may want to keep a list of them in a safe deposit box.  This will also give you a place to find them, if you lose all other copies.

What about writing down passwords and keeping them in less secure places than a safe deposit box?  The best practice is not to do this.   But the practical reality may be that if you have a lot of passwords, you need to have them written down somewhere where you can get to them.  Just be sure you keep that document in a very secure location. 

Obviously that means not writing them down on a piece of paper kept in an easily-discovered location near your computer, for the same reason you don't keep your house key taped to your front door.

Learn more

Choosing and Protecting Passwords (US-CERT)
Concise summary of the rules for password security

Last modified: 23-Apr-2006 [RC]

  
 

   © 2002-2006 Contributing authors and University of Miami School of Medicine