Password Strength Tips
These tips won't just help you at CHS, but at home as well. Here at CHS, your bank or social media accounts may not be at risk, but we still have sensitive and personal information to protect. And with just one password syncing across multiple services (email, IC, etc.) it is even more important to have a strong password.
First, lets discuss who exactly are these passwords for?
We dont need a password as strong as "W8#htXi29&86" to keep Uncle Bob, or the neighbor, Joe, out of our system. A simple password like "123abz" can do that.
So who are we trying to keep out?
The person next to you - These are the people who will have the most information on your password. They can watch you type it, hear the key presses, and see what hand you are typing a key with. So, choosing a password like "123abz" can be easy for them to guess. And because they are next to you, they most likely know a little bit about yourself. So passwords like your childs name and birth month "Mikey04" can also be easily guessed.
Password cracking programs - These are the main culprits. The reason websites ask for at least 8 characters, with at least 1 number. These password cracking programs can do thousands of guesses per second, and begin with common passwords, like capitalizing the first letter and ending with two or 4 numbers (Mikey04). They will try thousands of combinations, over and over, until it gets in.
- single dictionary words (skydiving)
- less than 8 characters (rj1977)
- personal words/dates (samantha, 10231975 , etc)
- common phrases or grouped words (newyorkcity)
Randomize as much as possible
A password like "Is73&Gft" is better than using something like "wildcats" as a password. Even though they are both 8 characters, "Is73&Gft" is not a dictionary word, uses capitals and special characters, and each character is random.
Check out Kaspersky Password Tool and enter some example passwords (not your real passwords) you think are safe. This tool will show roughly the time it would take a cracking program to hack your password. Try "wildcats" and then try "Is73&Gft" and see the difference.
The main problem with "Is73&Gft", other than only being 8 characters in length, is that its not efficient to type or remember. Who wants to type "Is73&Gft" every time they check their email?
What about being creative, like changing "wildcats" to "W!ldcat5", you ask? It helps to protect against someone physically typing and trying to break your password. But see what Kaspersky thinks about it. If you are clever enough to change "S's" to "$" and "i's" to "!" then password cracking tools will try that out first! Spell your word backwards, that's clever! Wrong! Password cracking tools were designed by humans, so they know how you think!
Use passPHRASES instead of passWORDS
Use phrases instead of just a single word. Some sites wont allow spaces in passwords, so you may have to add an underscore or some other special character. We will use: "Peter ate 2 cakes!"
Now try "Peter ate 2 cakes!" in the Kaspersky Password Tool
"Peter ate 2 cakes!" is not in the dictionary, uses spaces, has capital letters, numbers, and most importantly it is 19 characters long! Not to mention, its not a chore to type like "Is73&Gft".
Longer passwords are always better than creative ones
When it comes to passwords, longer is better than creativity. Would you believe "pigpigpigpigpig" is more secure than "Is73&Gft "? Well, it is, because each character adds exponentially more ways to type a password. (This is known as Password Entropy). The entropy of a password is the expected number of attempts that an attacker will have to try before finding your password in a brute force attempt. Try it out in the password tool above. Create a long password whenever possible.
Longer and Random are the keys to a great password.
"Peter ate 2 cakes!" is a secure 19 character password. Whats a more secure 19 character password? Try "brick viet frog jot". Four random words. Still 19 characters, doesn't use capitals, numbers, or special characters. No common phrases. Just random words. Its better to be truly random (see Diceware system), not just four words you think of, because cracking tools will try the most common words people think about first (love, dog, home, etc.).
Why? Cracking tools will always look first for the common words, phrases, symbols. They don't start the letter "a" and then go "aa" and so on. They start with the 1000 most common passwords like "12345", "password", "loveyou", "wildcat", etc. They may also use a 500 or 1000 word dictionary to brute force your passphrase. They can have an entire database of thousands of popular quotes, and run a simple algorithm to add punctuation, or turn an "S" to a "$". The quote "I have a dream" can be turned into a thousand variations like "1 Hav3 4 Dr34m" or "I-haVe-A-Dr3am!" in seconds.
Make longer passwords, or even better, passphrases (12 characters or more is recommended, 15 characters or more is ideal)
Randomize it enough so as not to be forgetful or a chore to type.
Don't make passwords personal or something meaningful to you (Remember, we also want to keep out those around us)
Kaspersky Password Tool: http://blog.kaspersky.com/password-check/
7 Tips to Toughen Passwords: http://www.darkreading.com/risk-management/7-tips-to-toughen-passwords/d/d-id/1104754?
Creating Strong Passwords is Easier Than You Think: http://www.infoworld.com/article/2616157/security/creating-strong-passwords-is-easier-than-you-think.html?page=2
How to Create a Secure Password: https://open.bufferapp.com/creating-a-secure-password/
Toward Better Master Passwords: https://blog.agilebits.com/2011/06/21/toward-better-master-passwords/