2. Tech
  3. Password Security

Password Security

Password security in some form or another is en-grained into our society as the "de facto" method of authenticating identity. Passwords are literally everywhere, from email, online banking, or even just logging into your computer at home, work, or school. Stop for a minute though, and let's think why we want good passwords, what goes into making a good password, and good password practices.

But Why?    --------

Besides the obvious reason of "To keep people out" why would we want to use a good password? If the person doesn't know you personally the chances of them guessing you password are already 2^10^ times harder (not a scientific number). Your chain is only as strong as your weakest link, if you are using a weak password than you usually can be sure that is the weakest link. Remember, these passwords are what keep Jimmy McThief from becoming Jerry Martin (Identity theft duh!) through some simple tactics.

Passwords when stored are usually stored encrypted on a computer through some method or another. This means that when my password is 'password' it becomes 'Ne093mS372kshgakjdSD' so that way if someone were to look at the file that had your password they would see a whole  mess of letters and numbers that they would have no clue what it means. So how does someone get your password if it is saved in a way that can't be read? They guess. Over and over and over again until they get it right, give up, or get caught. Since they are using a method of "guess and check" so to speak, their chances of guessing are actually fairly low. With a strong password however their chances are even lower. These "crackers" often uses special software to automatically guess the password up to hundreds of times per second.

What makes a good password?

There are several elements that go into making a good password:

  • Length of the password
  • Complexity
  • Pseudo-random factor
  • Easily Remembered

When considering the length of your passwords you should go with a default minimum of 10 characters rather than 8 or 6. With a 10 character password you are exponentially increasing its natural complexity. As far as complexity goes however, you want to have a mix of capital letters (A-Z), lower case letters (a-z), numbers (0-9), and symbols (!@#$%^&<>? etc...). The inclusion of symbols in fact is possibly the most important. This is because just one symbol can increase the factor of a passwords complexity by several thousand. Then if you have that mix, what good is it if it is just something like 'QWEtyu123$'? Good passwords are pseudo-random or seemingly random. For instance; the phrase "Publix where shopping is a pleasure" could become the password 'pwsiap'. This is still too short however since it is only 6 characters long but it is seemingly random. So now let's make it better. Let's add some capitals and we get 'PwsIp'. Better but still too short and there are no numbers or symbols. So let's add some numbers and symbols and make it longer all at the same time and we get something like '20PwsIap)'. Now the numbers 20 and the symbols)* are for 2008. This password (although not the best) meets all our criteria. It is 10 characters long, has 2 numbers 2 capitals 2 symbols and is seemingly random.

However what good is a strong password if you can't remember it? That is why we used the phrase to generate out letters. This way the phrase serves as a reminder to the password without giving it away. You can write the reminder down with "'08" on it and be confident that no one will know what it really means other than guessing "I guess the first time they heard that con a commercial was in '08." You can also take the random-password approach by using a service that generates random-passwords. These can be tailored to your security needs based on length and complexity.

Good Password Practices

Flowing right into my next point. They way a password is stored is very important. Most places (online servers, desktops laptops) will store your login passwords encrypted or hashed. This is to keep people from reading your password directly. However in programs like Internet Explorer, or Outlook, your passwords are store as plain-text meaning when you put in your password for a website or an email account, then save it, it is saved on your computer as whatever the password is (just like these words now). So if your password to your email is 'Pass123$' then it is stored on your computer as 'Pass123$' not 'N8sg83Js9jhsJkAsJ' as it would be on a server. More importantly, anyone who can physically access your computer can easily grab these passwords in less than 10 minutes. This is why it is good to take counter measures by using applications like Thunderbird for email and Firefox or Opera for web browsing since they both support "Master Passwords" which save your passwords encrypted using one password to rule them all (bad LOTR joke).

There are also several programs that can keep you passwords stored encrypted for programs that don't (or even if they do!) have that option. This is a double edge sword since on the one hand it is safe because it is encrypted and gives you one easy central location for password management. On the other hand it is one central place for password management. It's like a bank vault, yes it is secure but it is also the target of assault. One of these programs is called KeePass. KeePass has a whole bunch of features and is cross platform. They have installs for Windows, Mac, Linux, Blackberry, and USB sticks to name a few. Not to mention it is fee to use and open-source (OSI Certified). Of course another option would be to encrypt your hard drive and that way even if it is store on plain text as far as your operating system goes, it is not plain text as far as the actual data on the hard drive is concerned.

How Secure is your Password?

So you think you have a good password right? Put it to the test at The Password Meter. This is not the only one out there, but it is a good one for our purposes. It does not support passwords longer than 16 characters but it does tell you what adds security or decreases security with a instant feedback point system. The Password meter is great for computer logins but not so much for encryption passwords. To make a good password for encryption purposes test it against this Strength Test.

More information