Strategies for Creating Strong Passwords

Todays technology has brought us a click away from a vast array of information and instant communication. Consequently, this has also brought to our doorstep countless ill intended individuals seeking to cause disruptions or harm. One of the easiest ways to let a “hacker” invade your life is by using weak passwords. With even a little forethought and strategy the strength of your passwords can increase exponentially. The purpose of this article is to provide some insight into creating and using strong passwords. There are countless methods in which one might use to generate strong passwords. The examples presented in this article offer some general ideas and principals that may help in implementing a personal methodology. Ultimately one should apply a variety of concepts and strategies to which is kept secret.

Examples of weak / bad passwords:

• Names of personal significance such as pets, family members and nicknames.
• Dates of personal significance such as birthdays, anniversaries, or personal history.
• Numbers of personal significance such as phone numbers, addresses and government identification numbers.
• Words of personal significance relating to work, hobbies or other personal interests.
• Repetitive or sequenced characters such as “1111”, “1234”, “aaaa”, “abcd”.
• Obvious substitutions such as p@ssword, passw0rd, pazzword.
• Obvious patterns such as reversing the spelling alone, “drowssap” is a very weak password.

Ideally passwords should be long, complex, seemingly random (if not random) and unique or used exclusively for each situation. However, in a practical setting it is difficult to remember dozens of long and random sequences of letters, cases, numbers and symbols. A more practical approach is to devise a strategy or combination of strategies to “reconstruct” a particular password for a specific setting.

Parameters of strong passwords include:

• Length: Many password policies implement a minimum and maximum length. 6-8 characters is often a minimum. Many policies implement a maximum length of 12-16 characters.
• Alternating Case: Many policies are case sensitive, alternating cases adds a greater degree of strength.
• Numbers: Including random numbers greatly increases the complexity of a password.
• Symbols: Many policies allow the use of symbols, for example !@#$%^&*. Random symbols can greatly increase the strength of a password.
• Randomness: Implementing random characters and numbers exponentially reduces the threat of a person or machine simply guessing the correct password.
• Exclusivity: The more delicate the information the more exclusive the password should be. Accounts that are not particularly sensitive may share common passwords. As the degree of sensitivity increases alternate use of the password should decrease.
• Duration: Generally the stronger the password the less frequently it needs to be changed.

Strong Password Strategies

Randomness: A password should be composed of at least one random or seemingly random element. For example, a random set of letters, numbers, and/or symbols to include in a “base password” or phrase. For example, you may have a strategy where the base password contains the word “Truck”. By memorizing a random sequence for general use, a simple password becomes much stronger. In the following illustration it is assumed that we have decide to memorize the small set of random characters kP3&

Illustration:

• Truck (weak)
  • TrkP3&uck (better)

Exclusivity: Where and how often you use the same password may have a significant impact. One may want to implement a personal scale indicative of a degree in how sensitive a particular account is. On one end of the scale may be a common easy to remember password shared among many accounts in which the threat level is exceedingly low. On the other end of the scale may be highly sensitive accounts where the password is entirely unique and very complex. In the middle of the tier we may want passwords that are exclusive yet easy to “remember” or “reconstruct”. By implementing a predefined strategy, mid level passwords can still be easy to remember yet unique to a particular situation. For example, I may begin with the base password “Truck” for my Facebook account but then implement an easy to remember strategy for manipulating the base password or phrase. Notice the 2^nd and 3^rd letters in the word Facebook when referring to the illustration below.

Illustration:

• Truck (weak)
  • TrCauck (better)

As we can see, the password is relatively unique but still easy to remember. What if we add a symbol to our strategy as well? An obvious choice might be @ since this is a website account.

Illustration:

• Truck (weak)
  • TrC@auck (better)

Again, relatively unique, easy to remember, yet much stronger than what we began with. What if we mix in another strategy? In the randomness illustration we decided the characters kP3& would be a memorized sequence.

Illustration:

• Truck (weak)
  • TrC@akP3&uck (better)

As we can see, this simple password has become rather complex but still easy to “remember” or “reconstruct”. Ultimately we are merely implementing 3 memorized items, a base password, predefined random sequence, and a simple exclusivity strategy to create the password.

Password Security

Obviously the “strength” of a password is meaningless if the password itself is not kept secure. Avoid using “password vaults”, especially remote password storage utilities as by compromising a single scenario compromises everything associated to it. Realize that no reputable organization will ever ask for account passwords outside of an authentication process. For example, no legitimate organization will ask you to email them your password.

Unfortunately many victims whose passwords are compromised are because they literally provide the information directly to an ill intended source. A common scheme known as "phishing" is when a person or entity is falsely represented and requests an action from the potential victim. A "phishing" scheme may come in the form of an email and/or website impersonating another organization. Victims respond to authentic looking emails directing them to what appears to be the expected financial institutions website. The login process may look and act like they would normally expect when in fact they have just supplied their user name and password directly to an illegitimate website.

Technology will continue in its advancements to fight against fraud and other criminal activities. However, criminals will always be looking for new and ever more deceptive strategies. One of the best defenses is knowledge and careful scrutiny for any unexpected communications, and of course using strong passwords and keeping them secure.