Password strategies - staying sane as you choose passwords for online services
With all the sites and programs that require you to have passwords, it is becoming a necessity to have a strategy for choosing good passwords that you can remember, yet are strong enough for protecting your sensitive information online.
You may have noticed that password rules vary from site to site. (I’ll talk about Web sites in this article, but this could just as easily apply to programs that run on your computer.) Usually, the strictness of the password rules increases with the sensitivity of the information being protected by the password.
Online banking sites usually require you to have at least 8 characters, including one upper case and one lower case character, and most require you to use at least one number or special character. There isn’t really a magic formula, but this is commonly accepted, and I call it the “Standard Strong Password” policy.
Obviously, banks need to make sure your password is not easily guessed by anyone. But they can’t do anything about it if you write down your password on a yellow sticky note and put it on your desk beside the computer. That’s why they have you read their terms and conditions, and make you agree to protect your password. This is your responsibility.
But what about online shopping sites? Do they need to use the same rules? It’s certainly not a bad idea for them to have the same rules, even if they don’t keep much sensitive information of yours. They may someday want to add value to their service, and it might require stronger protection. If they already require you to use strong passwords, they won’t have to inconvenience you later to change your password. For more information on setting password policies for an organization, refer to my article on “Password Policies” by clicking HERE.
Still, some sites don’t require anything but a minimum number of characters in your password. That shouldn’t stop you from using a stronger one if you want. The worst sites are ones that limit the number or types of characters you can use in your passwords (eg. 6 characters, and by the way you can’t use the “$” character..!). This begs the question, “How careful are they being with my information if they won’t allow me to put a strong password on my account?”
Assuming you are allowed to choose a strong password, what should you use? Ideally, you want something nobody else can guess, but these can be hard to remember. And what about using the same password on multiple sites? What if someone finds out the password you use on one site, and tries it on all of your sites? The reality is, with the number of sites you are registered at, you have probably used the same password in some of them. It almost makes the Internet unusable if you have to use a different password on each site.
You should also have a practice of changing your passwords every few months, or immediately if you think someone might know it.
With all of these conflicting requirements for a “perfect password”, where do you start? Based on the analysis done by Bruce Schneier (click HERE), here are a few tips I can provide, not for a “perfect” one, but a strong, manageable one:
- Choose a password “root” that is not a word found in a dictionary. Even the password “letmein” (let me in - without the spaces) is one of the most commonly used passwords. One of the best ways to choose a root is to think of a phrase you can remember (maybe from a passage in your favourite book), and take the first letter of each word. For example, using the phrase “You can’t have everything; where would you put it?…” (Stephen Wright… no relation) you could create the root “YcheWwypi”.
- Choose a numeric digit and a special character and place them in a random location in the string; even if they are side-by-side, although separating them will be stronger. For example, “Ych4^eWwpi”.
- If you are forced to change the password, just change the location of the number and special character within the root string of characters… “Yc4^eWwpi”
- I don’t recommend using a special character or number to separate dictionary words, such as “Dog2Cat”; or even substituting special characters for real ones, such as “Tru$tme”. These are easily guessed by password guessing programs (Click HERE for more information)
- Don’t use names and numbers or dates unless you intersperse the number within the name. “Jordan23″ is very common, but “J2or3dan” would be much stronger.
This strategy is just one of several that people use to remember strong passwords that can be used on multiple sites. The chances of someone guessing it are small, and even a sophisticated program would have a hard time identifying it.
Finally, don’t depend on the strength of the password to protect you. Never share it or leave it in plain sight. Contrary to popular belief, it is not a sin to write down a password. In fact, the strongest passwords used by high security organizations are written down, sealed in a tamper-proof envelope and stored in a safe. You may not have to go quite that far, but if you are prone to forgetting them, you are allowed to keep them in a secure location… as long as you can remember where it is.
Security Views » Practical password policies - they can never reduce risk to zero on 10 Jul 2007 at 2:09 pm #
[…] I strongly encourage having users change their passwords every few months, but I prefer to be told how long it has been since it was changed, and then you can encourage me to change it after a period of time. Forcing a password change is sometimes necessary, but it should not become an inconvenience when a user needs to do something quickly. (See my Password Strategies article by clicking HERE for general user tips on choosing passwords.) […]
Sandy McInnes on 04 Aug 2007 at 8:35 pm #
Hi Scott,
This password information is very helpful.
Thank you.
Sandy
Annette on 14 Dec 2007 at 2:23 am #
Yeah, I’d say so. This is something that drives me nuts! All help is appreciated. I’ve decided to keep a notebook with all the passwords and info pertaining to the account. There are things I can’t get into that I set up years ago, and forgot usernames or passwords. Very frustrating! Who’s gonna steal a notebook of paper if someone breaks in? It’s a must for me because I’m absolutely irresponsible with this info. It’s too easy to forget.
Annette on 14 Dec 2007 at 2:28 am #
I don’t write my work password though. That’s easy enough to remember, because I use it almost everyday. Now that I’ve said this, I’ll probably forget it. lol.
Michael on 29 Feb 2008 at 11:00 am #
In our company, we have quite a strong password policy: every password should be at least 8 characters, including at least 1 number or 1 upper case character.
It’s secure enough for us but sometimes it can be hard for users to remember their passwords.
After we implemented the company password policy, our helpdesk team started to be extremely busy with password reset related calls.
To reduce these types of support requests, we decided to install a self service solution for password reset and it has worked well for us. The tool integrates to login screen interface and enables users to reset their password by themselves just in several clicks by answering secret questions.
If you are interested the name of this solution is deskop authority password self-service - http://www.scriptlogic.com/products/password-self-service