HIPS Series > Picking and Protecting Passwords

How to take this course

Learning to pick strong passwords and protect them appropriately is an important part of that training.  Why?  Because passwords are still a primary means of authenticating your identity -- a way to prove that you are really you to computers and networks. 

A compromised password can allow unauthorized access to your personal computer, and to all the files you keep on it.  Worse, it can allow unauthorized access to shared computer systems and networks.  That can compromise security for everyone, and put at risk all of your organization's information resources.

Passwords are compromised -- or "cracked" -- in a variety of ways.  One is to try all the words in the dictionary.  That's called, predictably enough, a "dictionary attack."  A dictionary attack would take a human a long time, but it can be an easy task for another computer.  A computer can also be used to march through all the possible sequences of letters and numbers -- a "brute force" attack.

In order to defeat such assaults, many systems will lock an account after several consecutive unsuccessful password attempts.  It may then only be unlocked after a set waiting period, or require a system administrator's intervention to reset the lock.  If this happens to you, be patient.  It's a necessary security measure.

It often doesn't have to be a high-tech attack.  If passwords are obvious enough, they can simply be guessed by someone who knows things about you.  Things like the name of your spouse, significant other or pet, where you were born, your birth date, home address, and so on.

It can get simpler still.  There's the "shoulder surfing" attack -- someone watching you while you type your password.  Or the "Post-It"™ attack -- where someone finds a password you've written down and left in plain sight near the computer.

Or you can eliminate the need for an attacker to crack your password at all, by leaving your logged-in computer unattended.  That's why many systems have "time out" protections in place, that lock your computer after a period of inactivity.

A "strong" password is one that is hard to crack.  Making a strong password is easy, if you follow the rules here.  (Remembering a strong password isn't always easy, but we'll also give you some tips for that in this course.)  Among the basic rules for strong passwords are:

• More characters are better   Most computer systems require a minimum number of characters for a password.  Use more than that minimum!  The more characters, the more resistant a password will be to computer attacks and human guessing.
   
• Mixed characters are better   Using a combination of uppercase letters, lowercase letters and numbers will also make your password more resistant to attack.  If your computer system allows it, mix in a few symbols like !#$% too.

Real words are always bad choices.   Don't use words that are in the dictionary without adding other letters, numbers or special characters.  And we mean any dictionary.  Humans and dictionary-attacking computer programs can be multilingual.

• "Personal" words are bad   Don't use passwords that refer to things that are easily guessed about you, such as your favorite color or sports team -- at least not without changing the spelling and adding extra letters, numbers or special characters.   Parts of addresses, telephone numbers, etc., are also bad choices.
  
• Defaults are very, very bad   Some systems come with a standard starting (default) password.  These are commonly known, and must be changed!  Default passwords are the first thing that a password-cracking computer program -- or human -- will try. 

We know it's harder on your memory, but don't keep the same password forever.  Some systems will force you to pick a new password on a regular basis.  Even if you're not forced, it's a good idea.

If you have any reason to believe a password has been compromised, change it immediately.  Someone who cracks your password may not be able to use it immediately.  And at least you'll prevent further damage.

Don't use the same password for all the systems you access.  You don't have one key for your home, car, and office, do you?  The same holds for passwords.  You don't want one cracked password to compromise everything.

4+7equals11instead of  4711
M_eyeAMe instead of miami
Floor+duh instead of florida
Sun#shyne instead of sunshine
SPOT_mydawg instead of spot

Notice that the better passwords in the left column contain a mix of uppercase and lowercase letters, numbers and symbols.  Where common words are used, the spelling is altered.  (Need we mention that it's a particularly bad idea to use a password that is the same as your user-ID, or the password "password"?)

In summary, the rules are:

• Do make them long (at least seven characters, ideally longer).
• Do include mixes of uppercase letters, lowercase letters, numbers, and symbols.
• Do use at least one symbol, ideally in the second through sixth position.
• Do use at least four different characters (don't just repeat the same ones).
• Do use different passwords for different systems, and change them regularly.
   
• Don't use all or part of your user name or the computer system/service name.
• Don't use words associated with personal characteristics that others may know.
• Don't use a real word in any language (unless altering the spelling substantially).
• Don't use consecutive letters or numbers (such as "abcdefg" or "1234567").
• Don't use adjacent keys on your keyboard (such as "qwertyu").
• Don't use numbers in place of similar letters to form the same characters (such as the number 1 for letter "l", or the number "0" for letter "O").

You may need to use many password-protected computer systems, or access many password-protected web pages.  Some of these deserve more security than others, and so require more attention to creating strong passwords.

For example, the password you use to log on to a newspaper site doesn't need to be as strong (or as frequently changed) as the one you use to get online access to your bank accounts.

We can't give you a rule for this.  But you should always have in the back of your mind this question:  "What would the consequences be if someone got the password to this?"  If the consequences could be serious, take the time to create and use a serious password.

Unfortunately, strong passwords tend to be hard to remember.  If you've got a lot of passwords to remember, and you are changing them often, it can get overwhelming very quickly.   Basing passwords on familiar phrases or favorite activities can help.  For example:

 I can resist anything but temptation = Icra_bt

 Biscayne Bay sailing on the weekends = BB_sotwe

 Four score and seven years ago = 4s++7ya

Alternatively, you can base a password on a favorite photograph or painting.  Whatever it is, try to pick something positive, that you'll enjoy remembering each time you log in. 

The best security comes from never writing down your passwords.  But, for many of us, the choice is between writing good passwords down or using bad passwords that we can actually remember.  If you're going to keep a "cheat sheet," remember:

• Keep your cheat sheet physically hidden and secure.  In particular, don't leave it near the computer itself.  You wouldn't leave your house key taped to the front door, would you?  Or your car key taped to the door of your car?
   
• In case the cheat sheet is found, do't write "user names and passwords" on it, or something equally revealing like the computer systems' names.  Try to disguise the information as something else -- such as entries in an address book.

Sometimes you are given the option of having your passwords automatically "remembered" by the computer, so you don't have to.  This is usually a bad idea.   Anyone who gains access to your computer will have access to all these protected places.

On the other hand, some automated tools can assist your memory without compromising security, and if you have a lot of passwords to remember you should consider a software or hardware alterative:

• Password manager software allows you to store all your passwords in a secure database on your computer, protected by a single (strong) password. 
  Many commercial password storage programs are available.  There are also free, open-source versions, among them Password Safe and KeePass.
   
• Password manager programs that come built into hardware like USB tokens, smart cards and biometric readers can do the same. 

These are essentially high-tech password cheat sheets -- but a big improvement over the paper variety if used properly.

Almost all shared computer systems require login passwords for each user.  Personal computers come out of the box with the capability of having a login password, but don't require it.  Many add-ons like removable storage devices and wireless communication cards also have the option of adding access protections.

Don't be lazy!  Enable a login password and a password-protected screensaver for your personal computer.  Activate password and other security protections for your portable storage devices and wireless links as well. 

This is a critical additional protection against intruders who get past the physical security measures that are your first line of defense.  While such measures can sometimes be defeated by a determined, knowledgeable attacker, they are much better than nothing.

At the risk of sounding paranoid, we want to remind you to watch out for people watching you -- not only while you type in a password, but at any time you are using a computer. 

Aside from the security implications, it's generally rude to peer over the shoulder of someone who is working on a computer, unless permission has specifically been given to do so.

We're not sure why this habit is so common.  Perhaps it's because computer screens look like television screens, and it's generally not rude to stare at someone else's TV.  In any case, you shouldn't hesitate to ask -- politely of course -- that someone keep their distance while you're logging in or accessing sensitive data.

Don't "lend" a password except in emergencies, and then only to someone you know, for reasons that make sense.  Be sure it's a real emergency, not just a matter of saving a little time or inconvenience. 

Don't ever reveal your password to someone whose identity or purposes are unclear.  It could be a phishing scam.

Always remember that a person using your user-ID and password has assumed your identity.  Anything wrong that they do will be attributed to you.  They'll also have access to your computer files, including the ability to modify or delete them.  Is that a risk you want to take?

If you do lend, be sure to change your password immediately after the "emergency" has passed.  

Leaving a computer unattended while you are logged in is the same as giving away your password.  Don't do it.  Log off or lock your system, even if you plan to be away only briefly.

Most shared computer systems will shut down your session after a period of inactivity -- as a backup in case you "forget" to log off yourself.  As noted, that's a protection you should also have in effect on your personal computer, with a login password and a password-protected screensaver.

It's worth emphasizing again that leaving a computer in a physically unprotected space is dangerous.  The easiest way to get information off a personal computer is simply to steal the machine itself.  Don't make that easy!

We know we've given you a lot to remember here.  In time, the rules for picking good passwords and protecting them will become automatic.

(1) Use mixed-character passwords of sufficient length, make them different for each application, and change them at appropriate intervals.

(2) Protect the passwords you create by keeping them in safe places.  (Ideally, just keep them in your head.)

(3) Change immediately any password you think may have been compromised, and report it.

Managing passwords is one of those things that you can't escape today.  Do it safely, and the odds are good that you'll keep the information under your control secure.  Do it unsafely and it's only a matter of time until something bad happens.

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The quiz for this course is here.

•  •  •  •  •