The article below was published in September 2009. Things have changed! Please see my new articles series on Password Ideas.
Password Guidelines
This is pretty much unrelated to Jason Powell's recent talk, but coincidentally I was working on a password document at about the same time. This was prepared for a client who agreed to allow for reuse and modification. What would you add or change? Looking for “best practices” and practical guidelines to share. CITRT people, please use if appropriate. And yes, I already know that Jason's policy was different. Remember, this is a set of guidelines to be adapted to particular needs. A recent story in Windows Secrets is also good information on strong passwords.
Why are good passwords important?
It’s an unfortunate fact of life that there are “bad guys” out there who are trying to get you. It’s possible that someone specifically wants to steal YOUR information or that of your employer. Or, perhaps someone wants to discredit or embarrass you or your employer. It’s just as possible that there is someone out there who’s just interested in learning *if* your system can be violated. Regardless the motive of the bad guys, if they break in, it’s a bad thing. There is a common misconception around the idea of “I don’t have anything of interest to a bad guy.” If a hacker gains access to ANY account on a system, that gives a way to use the system’s own power to help gain further access. Any breech gives a foot in the door for a more targeted attack. If you have an account, you are a gateway to EVERYTHING stored on the network.
What makes a good password?
There are three primary qualities of a good password:
- Not easy to machine decode. Hackers have powerful tools that can “guess” passwords with incredible speed and ability. Therefore, good passwords are long and complex
- Not easy to guess. A good password shouldn’t be easy for a person to guess. Long and complex passwords are best but they should NOT be based on identifiable personal information.
- Easy to remember. This may be the most counter-intuitive part of a good password. If you have to write your password down, it’s a bad password. A good password is one that you, and only you, can easily remember
Do those three rules make it seem that good passwords would be impossible? Perhaps, but maybe there are some simple ways to create long, complex passwords that are also easy to remember.
Ideas on creating good passwords:
One of the best ways to come up with a long, complex, password is to think in terms of phrases rather than words. Start with a phrase that’s easy to remember, but is not based on any information obviously identifiable to you. Find a phrase that includes upper and lower case, numbers, and special characters. For instance:
My #1 all time favorite movie is Gone With The Wind
Using that entire phrase as your password is great:
My#1alltimefavoritemovieisGoneWithTheWind
(Sometimes it’s hard to NOT type the spaces, but many systems DO allow for spaces in passwords!)
Another good solution is to pick first letters from a phrase. Using the above phrase, we might generate (in your head, still) a password of:
M#1atfmiGWTW
That password is almost as easy to remember as the original, reasonably easy to type, yet very difficult to guess or for a program to decode.
Let’s try another:
September 29 is a special day to a friend of mine
As before, we could use the entire phrase, or we could do a quick encoding to come up with
S29iasdtafom
Now here’s a special trick that makes passwords better. Most people, when asked to create a complex password, come up with a word, capitalize it, then add a special character or number to the end. Orangutan*1 is an example. Technically, that is an “ok” password. However, since that’s what most people do, that’s the sort of approach most password cracking programs take to break passwords. You can be smarter! Simply turn it around. #1Orangutan is a far better password (still not great, but incredibly better). (#1SortOfLikeAGorilla is much better.)
A few things to avoid:
There are certainly some things NOT to use when creating passwords. You can add to this list, then just remember not to do these things. Easy, right?
- Passwords should never contain your name, your account name, or your company name
- Passwords should never be simple words from the dictionary (note: using multiple words is recommended)
- Passwords should never be made substantially of letter sequences (ABCDE) or number sequences (87654)
- New passwords should not be at all similar to previously used password. (start with an entirely new phrase)
- Don’t use the same password for different purposes. For different accounts, different systems, different websites, use different passwords. It’s easier than you think to be creative and still have unique, memorable, passwords if you think in terms of phrases
3/2/2010 update: Another idea for "easy" passwords that are still complex.
Password Policy
Here are the absolute must do and must not do requirements:
- At least 8 characters (more is always better)
- Contains at least 3 of the 4 character types: Upper Case Letters, Lower Case Letters, Numbers, and Special Characters
- Does NOT contain any part of your name or user name
- Must be changed at least every 6 months
- Is NEVER to be given to anyone else. Not your family, not your friends, not your manager – NOBODY!
- Is NEVER to be written down
- YOU are 100% responsible for the security of your account through your own careful use of a quality password
- Any employee found to have violated policy may be subject to disciplinary action, up to and including termination of employment.
I disagree with "Contains at least 3 of the 4 character types: Upper Case Letters, Lower Case Letters, Numbers, and Special Characters"
I've read nothing anywhere as to how that truly helps .. in fact I believe it only makes people end up writing down their password cause it makes it harder to remember.
As I posted, we're ALL about the long passphrase, but require no special characters.
YMMV
Posted by: Jason Powell | September 11, 2009 at 01:16 PM
I would add that in addition to using good passwords, using different usernames for high security things like bank accounts and credit cards (ex: johnsbank, johnscard) adds another level of safety.
Posted by: John | September 17, 2009 at 04:49 PM
==> Jason. I have only minor evidence of the advantage of multiple character types. A few years back, I tinkered with a password cracker (l0phtcrack). It took longer, although not a lot longer, to break the passwords with multiple character types.
==> John. That's a great idea that I think I once knew (you probably told me about it before :-)
Posted by: TonyDye | September 18, 2009 at 05:10 PM