vrijdag 18 november 2011

Passwords - some practical remarks

There is a well known problem with passwords: they should be easy to remember, yet be long and complicated enough not to be detected by automatic password crackers.

The story is in the news today again for the umptieth time, with mashable reporting a list of the 25 most common passwords

Here are some of them:
password
123456
12345678
qwerty
abc123
monkey
1234567
trustno1
baseball
111111
iloveyou
Of course the guidelines for good passwords are well known:
  1. Use a combination of upper and lowercase, digits and other signs such as "_", !, & and so on.
  2. Don't use your name, names of relatives, or hobbies, birth date, and so on. Instead, do use combinations of words.
  3. Let your password have a sufficient length. Experts differ in opinion, and applications differ in possibilities. For instance, on windows 7 administrators can set the minimum password length anywhere from 1 - 14. Google apps recently increased the minimum length from 6 to 8.
  4. Use different passwords on different sites.
  5. Change your passwords frequently.
  6. Don't write your passwords down.

How, with these guidelines in mind, how can you choose passwords which on one side comply with these rules and on the other hand, are still useable in real life?

Here are some suggestions:
  1. Use something from your most recent holiday: hotel, restaurant, camping, guide, recipe, and so on, and mix this with numbers and other characters. For example, if "haggish" was a recipe you liked when on holiday in Scotland, you might choose "Scotland-Hag*2011*gish" as a password. This will encourage you to change password your password again after a next holiday. Not frequent enough, but it is a step.
    A friend of mine went to Argentina, and used the names of all the small villages there as the base for his passwords.
  2. Do you have a favorite song, poem or book? Use a combination of words, intermingled with numbers and other characters. For example, if you love the Rolling Stones, you might pick one of their songs: "You can't always get what you want", and choose a line, such as: I saw her today at a reception, and intermingle it with digits and other characters:
    "I08saw*her_today at a reception".
    If you change your password, don't just change the number, also periodically change to the next line of the song.
  3. Including year and month in your password has advantages and disadvantages. One advantages is that it is easy to remember, and another that it reminds you to change your password again. An obvious disadvantage is that these parts are easy to guess, and certainly this should not be the only change in a password.
Now there is something to say about the rule: Don't write your passwords down.. First, to have a different password for every site, virtually forces one to write your password down, or frequently to ask the site to reset your password.
Personally, I don't think the rule can be taken as an absolute. Certainly it is not good if an office employee has a yellow note at the screen with his or her password. A better wording would imho be: write your password down at a secure spot.
If you are at home, store your passwords of internet sites on pencil and paper in a secure spot - where it can be found easily, but not at first sight.
As for the office, unfortunately there are still many employers who don't have single login enabled for there applications. Ask your employer for it - the problem belongs to your employer. Meanwhile, you probably have one main account. You will have to memorize the password for that account, and maybe you have a private area where you can write note your other passwords securely in that spot. Or maybe you can synchronize your passwords, changing them all at the same time?
One secure spot to write your passwords down is a password store. They allow you to write down your passwords for numerous internet sites and applications, together with the name of the site or the application. They need a password to open, so that is the only password you need to remember. And oh, you will want to backup this utility frequently. One which is free and open source is Keepass.