Creating Effective Passwords

It’s like a recurring nightmare—the whole issue of passwords simply won’t go away. People continue to use really awful passwords like secret and password because they’re easy to remember and they view passwords as a pain. A user will rely on the same password for everything, so once a hacker figures the password out, every resource the user can access is wide open. To make sure everyone can access the user’s account, the password often appears on post-it notes and in other obvious places. Of course, the user never, ever changes the password so once a hacker gains access, the accounts will remain open forever. This is just the tip of the password complaint iceberg.

Microsoft and other vendors are trying to remedy the situation by using biometric data or smart cards. The problems with smart cards are that they’re easily copied and even easier to lose. A lot of organizations have tried smart cards and found them to be less than ideal. Biometric data is just as bad. There are ways of easily thwarting fingerprint scanners today. Of course, once a fingerprint is hacked, you can’t change it. Fingerprints are unique, but using just a fingerprint means that everyplace you log in effectively uses the same password. So, once someone does hack your fingerprint, they can access absolutely everything you can. To overcome the issues with a single biometric, some researchers are now suggesting the use of a Multi-Biometric Authentication System (MBAS), which is also called a Multimodal Biometric Authentication System. So, how you have a really expensive, overly complex system that is bound to have a high failure rate.

The problem with all the various lines of thought out there now is what I call the magic bullet syndrome. Someone thinks that there is a solution that will somehow thwart the bad guys. Unfortunately, history proves that the bad guys always come up with a way to storm the gates and that any wall you build will prove too low at some point. I’ve advocated the passphase system for years because you can create passwords that are both strong and easy to remember. Passphrases can be quite long, complex, and still make it easy for someone to enter correctly nearly every time. In addition, you can change passphrases with the same ease that you can a password. Changing your password or passphrase relatively often means that even if hacker does gain access to an account, it’s unlikely to remain open to them. Still, no solution is perfect, which is why security monitoring is an essential part of any security solution.

Of course, whether you use a password or a passphrase, you need to know that it’s strong enough to keep hackers at bay, at least for a while. Therein lies another problem. According a recent ComputerWorld article, many of the password strength meters out there are giving users a false sense of security. They really don’t tell you that your password or passphrase is strong enough to withstand easy attack. When creating a password or passphrase, avoid using words that are spelled precisely the same as they are in the dictionary. For example, you could replace the letter E with the number 3. Make sure the passphrase is relatively long and complex. It should include spaces (when allowed) and special characters (such as the ampersand, &). Use a combination of uppercase and lowercase letters. Include numbers. Misspell a word or two, such as “MiG00dPassphras3”. The point is that you want to make things hard on your attacker, but still easy to remember.

When all is said and done, your best defense against hackers is vigilance. It doesn’t matter whether you use passwords, passphrases, smart cards, or biometrics. If someone really wants to gain access to your account, you have to assume they’ll be successful. Don’t believe in magic bullet solutions because they really don’t exist no matter what someone might try to tell you. Make sure you change your login information on a regular basis and keep an eye on the resources you use. Report any suspicious activities that you find. In short, don’t assume that you’re safe because you really aren’t. Let me know your thoughts about passwords, passphrases, smart cards, and biometrics at John@JohnMuellerBooks.com.