Creating Effective Passwords

It’s like a recurring nightmare—the whole issue of passwords simply won’t go away. People continue to use really awful passwords like secret and password because they’re easy to remember and they view passwords as a pain. A user will rely on the same password for everything, so once a hacker figures the password out, every resource the user can access is wide open. To make sure everyone can access the user’s account, the password often appears on post-it notes and in other obvious places. Of course, the user never, ever changes the password so once a hacker gains access, the accounts will remain open forever. This is just the tip of the password complaint iceberg.

Microsoft and other vendors are trying to remedy the situation by using biometric data or smart cards. The problems with smart cards are that they’re easily copied and even easier to lose. A lot of organizations have tried smart cards and found them to be less than ideal. Biometric data is just as bad. There are ways of easily thwarting fingerprint scanners today. Of course, once a fingerprint is hacked, you can’t change it. Fingerprints are unique, but using just a fingerprint means that everyplace you log in effectively uses the same password. So, once someone does hack your fingerprint, they can access absolutely everything you can. To overcome the issues with a single biometric, some researchers are now suggesting the use of a Multi-Biometric Authentication System (MBAS), which is also called a Multimodal Biometric Authentication System. So, how you have a really expensive, overly complex system that is bound to have a high failure rate.

The problem with all the various lines of thought out there now is what I call the magic bullet syndrome. Someone thinks that there is a solution that will somehow thwart the bad guys. Unfortunately, history proves that the bad guys always come up with a way to storm the gates and that any wall you build will prove too low at some point. I’ve advocated the passphase system for years because you can create passwords that are both strong and easy to remember. Passphrases can be quite long, complex, and still make it easy for someone to enter correctly nearly every time. In addition, you can change passphrases with the same ease that you can a password. Changing your password or passphrase relatively often means that even if hacker does gain access to an account, it’s unlikely to remain open to them. Still, no solution is perfect, which is why security monitoring is an essential part of any security solution.

Of course, whether you use a password or a passphrase, you need to know that it’s strong enough to keep hackers at bay, at least for a while. Therein lies another problem. According a recent ComputerWorld article, many of the password strength meters out there are giving users a false sense of security. They really don’t tell you that your password or passphrase is strong enough to withstand easy attack. When creating a password or passphrase, avoid using words that are spelled precisely the same as they are in the dictionary. For example, you could replace the letter E with the number 3. Make sure the passphrase is relatively long and complex. It should include spaces (when allowed) and special characters (such as the ampersand, &). Use a combination of uppercase and lowercase letters. Include numbers. Misspell a word or two, such as “MiG00dPassphras3”. The point is that you want to make things hard on your attacker, but still easy to remember.

When all is said and done, your best defense against hackers is vigilance. It doesn’t matter whether you use passwords, passphrases, smart cards, or biometrics. If someone really wants to gain access to your account, you have to assume they’ll be successful. Don’t believe in magic bullet solutions because they really don’t exist no matter what someone might try to tell you. Make sure you change your login information on a regular basis and keep an eye on the resources you use. Report any suspicious activities that you find. In short, don’t assume that you’re safe because you really aren’t. Let me know your thoughts about passwords, passphrases, smart cards, and biometrics at



Your Security is an Illusion

I receive a number of queries about security from administrators and users every month, and many of these questions have links to all sorts of security issues that have occurred recently—everything from National Security Agency (NSA) spying to the Target security breach (incidentally, a number of other businesses have been attacked in the same manner). The fact of the matter is that books such as Administering Windows Server 2008 Server Core, Microsoft Windows Command Line Administration Instant Reference, and Windows 8 for Dummies Quick Reference have been telling you all along that security is a matter of vigilance—that software will never do the job alone. Even so, readers keep sending requests for some sort of magic bullet that will allay all their fears and make the task of security automatic.

Maintaining a reasonably secure system is a matter of observing personal, data, and system-wide best practices. Many other authors have listed these best practices in the past, but here are some of the techniques that people fail to use most often:


  • Use complex passwords that are easy to remember so you don’t need to write them down—consider using a passphrase whenever possible.
  • Change your password reasonably often and don’t rely on the same set of passwords all the time.
  • Keep your passwords secret so that no one else can abuse them.
  • Encrypt your data.
  • Perform local data backups regularly.
  • Ensure your applications remain updated with the latest security fixes.
  • Update your system as needed to ensure it provides a full set of modern security features.
  • Install security applications that check the incoming and outgoing flow of data, and block anything that looks remotely dangerous.
  • Check your system regularly for any files, folders, software, or other items that look out of place.

This list doesn’t even include some of the common user foibles, such as opening e-mail from parties they don’t know. In addition, none of these techniques are automated. You have to perform the manually in order to get the benefits they provide. Yes, it’s true that some of the techniques are automated once you start them, but you still have to start them. For example, installing security software will automatically monitor the data flow on your system, but you still have to install the security software manually.

Even with all of these security measures in place, someone who is truly determined can break into your system. You should simply count on it happening at some point, even if you’re incredibly careful. When a security breach does occur, you need to have a contingency plan in place.

Any good contingency plan will include a method of evaluating the damage caused by the security breach. You need to know just what was compromised and what the fallout of the compromise will be. Even individuals experience fallout from security breaches, such as identity theft. Once the damage is evaluated, you need a method for fixing the problems it has caused. In some cases, you may actually have to format the drive and start from scratch, which is where that data backup is going to become critical.

There is no magic bullet when it comes to security. Over the years I’ve searched, in vain, for a magic bullet and it isn’t even possible to conceive of one. Therefore, it’s the user and administrator who are best prepared for the eventuality of spying and security breaches that are in the best position to handle it later. Let me know your thoughts on security at


The Myth of the Unbreakable Password

Complete books have been written about the topic of security and the correct way to create passwords. Each expert claims that if you only adhere to the conventions that he or she sets forth, that your computer will be safe. Let me say up front that the unbreakable password is a myth. Yes, you need to come up with something a lot better than “Secret” or your birthday, but be assured that any password you use is breakable. In fact, in the real world, what you’re striving to do is create a password that takes longer to break—realizing that anyone who really wants access to your system will gain it. Computer hardware has become so powerful that seemingly unbreakable cryptography is quite vulnerable today.

Many security experts want you to use completely undecipherable passwords such as @f*/L12-X]. If you can’t come up with a good password of your own, PCTools actually provides a generator to create one for you. If you’re unsure about the safety of your password, you can have it checked to determine how long it would take to crack. (Unfortunately, the number you get isn’t completely realistic because computer technology for cracking passwords improves all the time, as does the capability of the hardware used to crack it.) Of course, it would be absolutely impossible to remember such a password, so anyone having such a password is going to write it down. All someone has to do is pose as a janitor and pick up all the yellow stickies that have the password printed on them (or write them down as they pass through to avoid suspicion). For that matter, social engineering attacks can often yield passwords through a phone call in a few minutes.

Because truly secure passwords are the stuff of science fiction, other experts have come up with the passphrase. A passphrase such as “My yellow car is gr8!” theoretically has a long crack time and are easy to remember. Unfortunately, recent advances in cracking technology seem to make passphrases a bad bet too. It seems that the crackers now use grammar as part of their strategy to figure out your password. They use applications to figure out the most common words that would come in a sequence of words.

The advice today is to use unrelated words separated by special characters—something I have advocated in any book I write that contains information about security. A password like “Elephant*Green?H3llo” is infinitely easier to remember than @f*/L12-X], but still quite secure. Even so, if someone is determined, they can combine a dictionary attack with some brute force techniques and discover your password in a reasonable amount of time—assuming you don’t simply give it to them as part of a social engineering attack.

There are technologies that promise to make it harder for crackers to gain entry to a system, but they’re usually complicated. For example, you can add a retina (iris) scanner or thumbprint reader to improve security, but that means an additional purchase, specialized software, training, and other costly changes to your setup. Security cards are another option, but again, you have additional costs to consider and the use of a security card is open to social engineering attacks (unlike a person’s thumb or retina, which are firmly attached). Most organizations still rely on passwords or passphrases in the interest of saving money, so creating usable, easily remembered passwords that truly are safe should be the focus of administrators whenever possible.

One new method of securing systems does appear in Windows 8. In this case, the system displays a picture when you start it up and you use gestures to circle or otherwise identify pictorial elements in place of typing a password. There are some experts who are already saying the feature is easily cracked. It seems as if the technique would be unwieldy with a mouse and it has already been said that most people aren’t buying touch screens to use with Windows 8 (see my Some Interesting Windows 8 Information post for details), so this security feature may be a non-starter for most organizations.

Passwords and passphrases won’t likely go away soon, so the best approach for most users and administrators is to create a system where passwords are complex, easily remembered (and therefore, not written down), and changed relatively often. The combination of these three elements should make your PC safer from crackers. However, the best security is vigilance. Check your system for intrusion often. Rest assured, someone who really wants to get in will do so and without too much effort. Let me know your thoughts about passwords at