09 January 2011

Art and science of effective passwords

In our digital life style, most often our privacy and secrecy are protected with username and password (including PIN as in the case of card-based transactions).

On an average over ten different passwords have to memorized for purposes such as internet account, office and personal emails, online social media platforms, financial and utility accounts transactions online, membership logins, etc.

Life was easy until we considered that having a password was enough once and for all. Unfortunately this scene has changes. We are at the risk of financial or reputation loss and might also suffer losing our own identity if our private details are exposed to the wrong people.

Often we use simple password that include abbreviations of our name or initials along with details from our date of birth – a mere 5 to 6 characters long. Many times people find using the default password or ‘password’ as the password itself more convenient. Imagine how simple and how dangerous if this case applies to your online banking website of email account.

Now often we come across so many “Don’t Do” about secure password. Never user names or usernames or ‘123’ or ‘test’ or petname or child’s name being some of these. Seldom there is help in the form of how to coin safe passwords and manage them efficiently. Here is some useful information in this direction.
  • Make sure whatever you do, that you can remember the password without having to write it down. The best password is simple yet difficult to crack.

  • The length and range and the case of characters in your password determine how difficult it is to guess. So use symbols, numbers, a mix of upper and lower case letters. For example letter ‘a’ can be replaced with ‘@’, ‘s’ can be replaces with ‘$’ etc.

  • One method of coining a good password is to use a sentence that one can easily remember. For example “My Favourite Movie Is Casablanca” or “The Best Place I have Seen So far Is Bali”. Take the 1st letter of each word, insert your symbol say ‘#’ between each 3 letter and use your number say ‘3’ after every 5th letter. A password like ‘Tbp#ih3$#$fi#5B’ is almost impossible to guess.

  • Another easy technique could be to use two totally un-related words and connect both those words with symbols and numbers while mixing up lower and uppercase letters. Again passwords like ‘ nOvember!=dEcem ber’ or ‘funny<$nail>Flower’ are also very good passwords.

  • Use of words from foreign language can be very handy to make good password using English characters. This brings a new range of complexity into your password as the sentence delivered in your native language can’t be guess that easily. Example ‘Guruk@Aashirva@d’ is simple based on a Hindi phrase with symbols missed for the 1st and last occurrence of the letter ‘a’.

  • Whatever password you may create can be useless if you do not change is over a period of time. Good level of security suggests change after every 30 or 45 days. Systems can be automated to ‘expire a password’ after this number of days.

  • Re-use of old password must also be limited. It is safe to keep this limit as 10/12 minimum, for the list of passwords before they can be reused again.

  • Length of the password must certainly be longer than 8 characters but about 14 characters or more is recommended for sensitive applications.

As conclusion we can say that no password un-crackable and what we are trying our best is only to make it more difficult to crack in terms of effort and time. Simple and obvious errors like post-it notes with passwords stuck under keyboards must be avoided.

Sharing the password with someone is same as broadcasting your password publicly; this is no longer a secret. The worst password is the one you forgot while the best password is simple yet cannot be guessed easily.


Asim said...

Useful article about the use and secrecy of passwords.

Keith said...

Some good advice, but –

Many on-line banks and other web services will only accept simple letters & numbers – no other characters.

Most also demand minimum 6, and maximum 8 characters. (most bank PIN codes are only 4 or 6 numbers, sufficiently secure without any additional letters or characters).

And if it’s too complex, e.g. Tbp#ih3$#$fi#5B (given example) you have to write it down – defeating the objective.

And if it’s too complex, it will be slow to type. For security if someone is looking over your shoulder, it should be able to be typed fast, so the person cannot read your finger key strokes.

There should be NO need to change a secure password. NONE of my on-line banks ever ask me to change a password. Changing a password monthly increases the possibility for confusion, requiring it to be written down and reducing security.

One detail missing from the advice: e-mail passwords MUST be different from all other passwords, and your bank passwords different from all others.

And if it’s good for my bank, it must be secure.

sajeevkmenon said...

useful post on password for secure transactions. Liked the idea of using 1st letters to remember.