Tuesday, March 16, 2010

Password management: Creating Secure Passwords you can Remember

Microsoft Chairman Bill Gates declared the password dead. He told his audience that the password can't meet the challenge of keeping sensitive information protected, saying "People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."

That was six years ago at the 2004 RSA Security Conference. Paraphrasing some wisdom from Samuel Clemens, the rumors of the password's demise have been greatly exaggerated. It is still the primary security control used to protect data, accounts, and pretty much everything else on a computer.

Gates may have been premature in calling the time of death on the password, but his assessment of why the password is inadequate as a security control were accurate. A study of more than 30 million passwords exposed when Rockyou.com was hacked found that almost half use names, common dictionary words, or sequential characters like "qwerty".

Fingerprint scanners and other biometric controls are becoming more mainstream, but the password will still be the main barrier between hackers and your data for the foreseeable future. With that in mind, here is how to create a secure password that you can actually remember in "12345" easy steps.

1. No Personal Information. Any novice hacker can easily find out your full name, the names of your spouse or children, your pets, or your favorite sports teams. Never choose a password that has anything to do with you personally.

2. No real words. Let's take that a step farther. Not only should you not use your name or your pet's name, you shouldn't use any actual word that can be found in a dictionary. Passwords like that can be easily cracked by password software.

3. Mix Character Types. Passwords are almost always case-sensitive, so use both upper and lower case letters to make it more difficult. To really make it complex, be more creative than just capitalizing the first letter. For example, do "paSswoRd" instead of just "Password". Better yet, throw in some numbers and special characters to substitute for letters, and do "p@Ssw0Rd".

4. Use a Passphrase. Scratch that. Some password cracking utilities are also smart enough to use common character substitutions for common words. Cracking "p@ssw0rd" may take longer than cracking "password", but it will still be relatively trivial to crack because, special characters or not, the password is still "password".

Instead, take your favorite line from a movie, song, or book and convert it to a passphrase. If you like the scene from A Few Good Men when Jack Nicholson is on the stand, take the line "You want the truth? You can't handle the truth!" and convert it to "Ywtt?Ychtt!". It has upper case and lower case letters, as well as special characters. It is not a word appearing in any dictionary, yet it is simple for you to remember.

5. Use a Tool. The main reason that users choose passwords that are easy to crack is that they want to choose passwords that are easy to remember. It is obviously much easier to remember your dog's name, or type characters in the order they appear on the keyboard, like "123456", than it is to recall "a5$jgFD118@Kle45@". But, guess which one is more secure?

You can use a password management tool to store complex passwords. It has some impact on security since cracking the password to access the password management tool grants access to all the rest of the passwords, but it does enable you to use stronger passwords for various Web sites, accounts, and applications without having to remember them all.

Windows has included a Credential Manager utility since Windows XP that lets users save passwords and provides a single sign-on solution. Logging in to Windows unlocks the vault and automatically applies the credentials from the vault as needed to access sites and applications.

IT World

No comments:

Post a Comment