Internet Security: Password Best Practices

Wednesday, Apr 21, 2004

Your Key to Peace of Mind

For most people -- or at least those without Star-Trek style retinal scanners or fingerprint devices -- a password is all that stands between the world and your data. A malicious or curious intruder can get access to sensitive email, financial information, or confidential business data simply by guessing or breaking your account password. To prevent your accounts from being compromised, it is important to follow best practices for password management.

First, always change your password from the default. The password that comes with a system is normally the first one that an intruder will try. This problem persists even in "high-security" organizations. For example, Richard Feynman, the Nobel-prize winning physicist who worked on the atomic bomb, made a hobby of cracking safes. He was amazed at the number of safes at the secure research center in Los Alamos -- many of which contained thousands of sensitive, top-secret documents -- which were "secured" with the default combination from the factory. Always change your password to close this easily-exploitable security hole.

Second, choose a "strong" password. A strong password is a password that is not easily guessable either by humans or by machines. Too many users pick passwords that are easily discerned. For example, the first thing an intruder might try is your login ID, your login ID reversed, or your middle name, information which all may be accessible through other means. In fact, there exist programs that can quickly try every possible combination of all dictionary words -- in any language! Thus, it is a good idea to choose a password that is strong -- not a word, not a name, and which contains both uppercase letters, lowercase letters, and numbers.

One of the best ways to create a password that is strong and yet still easy to remember is to use a mnemonic. For example, use the first letter of every word in one of your favorite songs, followed by a random letter. Using this method could result in the password "wwyaMC25" -- which looks like gibberish, but is actually easy to remember when you realize that it stands for "We Wish You A Merry Christmas".

Third, don't write your password down. The fastest way into someone else's account is to find the password jotted on a yellow sticky pasted to the monitor or on the underside of a desk drawer. Using mnemonics makes your password easy to remember: don't ruin a good password by making it easily visible to an intruder.

Fourth, change your password frequently. The strongest password becomes meaningless if it is obtained by a third party. Changing the password to a new one which is unrelated to the original means the intruder has to start over from scratch, mitigating any future account breach and further damage.

Finally, never reveal your password to anyone. The easiest way to break into an account is to use "social engineering" -- simply convincing the account holder to reveal the sensitive information you need. Legitimate systems administrators or help desk personnel will not need access to your password: any changes that need to be made can either be made internally, or they can reset the password to something else.

While no system is entirely secure, using these password-selection best practices can drastically reduce the chance of an intruder compromising your account and obtaining valuable information. Until all computers come with biometric security, a strong password is a good first step towards protecting your data!

Related Links