Section III: Passwords

Your username and password authenticate your login. Your password is your first line of defense. Your password is also your last line of defense if firewalls are breached.

Username and password are the most common form of authentication. Username and password combinations are how the computer knows that you are who you claim to be. Because passwords are such an important system protection mechanism, there are some special precautions that should be taken in choosing, using, and protecting your passwords. In this awareness area, we will explore some of those precautions. Good passwords are one of the primary components of a good security system. Computer accounts, databases, and even some Web sites use them to limit access to authorized users. If you do not take this access control device (the password) seriously enough, you can unknowingly create a significant vulnerability that ill-intentioned people can take advantage of. Be aware that a compromised password is not just a matter of letting people access your data but it also lets them potentially access all the resources you have access to. At home this may include your bank; at work, your co-worker's data.

How do I pick a "strong" password that I can remember?

The number one password mistake made by users is the choice of a "weak" password. When asked why such a choice, most people answer they want a simple password they can remember. First, let's look at what makes a weak password, then we will look at how to make a strong password, and finally, show some tips for remembering strong passwords.

Weak passwords might:

• contain less than eight characters
• be found in ANY dictionary
• be a common usage word such as:
  • Names of family, sports teams, characters, etc.
  • Proper names, fantasy characters and words from any dictionary (including Klingon). For example, the name of Gandalf's horse, "Shadowfax".
  • Birthdays, pets, friends, hobbies or personal information
  • Computer terms and names
  • Word or number patterns, including slang or profanity
  • The above items spelled backward or with a preceding or following digit

Please take a moment to compare the characteristics above against your password(s). Make sure that your password isn't weak. If you discover that it is, the following information will show you how to create a stronger one.

Strong passwords might:

• meet minimum length requirements of 8 or more characters
• use upper- and lower-case letters and embedded numbers
• use special symbols like punctuation
• employ mnemonics like song titles or catch-phrases and strengthen with a mixture of upper- and lower-case letters, numeric characters, and punctuation symbols

Your goal is to choose a password that will take a very, very long time for hacker programs to guess or crack. It is possible to add some real "staying power" to your password. However, while most people have no problem creating such a password, remembering it is quite another problem. Writing it down might be a bad idea; putting a sticky note on the side of your monitor or under the keyboard is a very bad idea!

So, what can you do to remember strong passwords?

Your own inside joke will give you an easy-to-remember password that will make your system administrator proud! Ready? Look at the following examples. You can create a strong password and have fun doing it!

• Think of your favorite movie. Now think of the star. Every star in every movie has a catch-phrase. As an example, think of Arnold Schwarzenegger's "I'll be back!" Easy to remember, 13 characters long and will give you a strong password. However, you can get even more creative. Try "!'11b3_B@ck." This is even more complex but just as easy to remember and to type.
• Another good mnemonic hint is to take a favorite quote and use the first letter of each word, including capitalization and punctuation, substitute numbers for a couple of the letters and create a strong password.
• From Werner von Braun "Research is what I'm doing when I don't know what I'm doing." you get: "RiwI'mdwId'5kwI'md.". Not only is this a strong password, but it will make you smile as you type.
• Or if you prefer Edward Teller "The science of today is the technology of tomorrow." you get "Ts9t8tt9t."
• One more example from Ray Bradbury "Touch a scientist and you touch a child." can be used to create "TaS&y5ac.".
• The above passwords are good examples that are strong and easy to remember, BUT please, do not use any of these specific passwords for yourself!!

The table above shows you that longer passwords are harder to break.

At this point, you should understand that choosing a strong password is a very important part of operating a computer securely. You've probably also noted that the length and complexity requirements of strong passwords make them difficult to remember. Be honest, have you ever written down a password because you were afraid of forgetting it? Sure, everyone has done this at one time or another. Writing down passwords or saving them in a file subverts the purpose of creating strong passwords in the first place. Many individuals have so many accounts that they cannot resist writing them down. As you move to stronger passwords and the requirement to change them more frequently, good password management techniques become more important. If your memory is shorter than your password, consider writing down password "hints" instead of the password itself. If you have many accounts (and many passwords), consider using a secure (approved) password storage program on your workstation or PDA. It is always important to remember that even at home you should practice good password management.

Recommendations for Secure Password Management:

• Do not write down a password
• Write down obscure password "hints" if needed
• Use a file vault, keychain or some sort of secure password keeper or manager, such as KeePass.

As you move around your organization or home, take a moment to look at "post-it" notes on monitors, keyboards, bulletin boards, and calendars. Could those be passwords? Writing down a password violates your work policy. It also invokes the ire of the system administrator and security personnel. Writing it down at home is no more secure and should be avoided.

One final warning on passwords, avoid using the same password (even if very strong) on multiple accounts. This is especially true for home use. Your banking password should never be the same as the one you use for Netflix or PayPal.