A former colleague once shared with me his view on passwords. The "bad guys" are getting more sophisticated at guessing passwords, or using programs that can run through all password combinations to "break" your password. On top of that, hackers can now purchase time on powerful computers, such as Amazon's EC2 "cloud," to break passwords. So my colleague liked to put "password strength" in terms of how much it would cost a bad guy to use Amazon's computers to crack your password. And it's amazing how low the price can be for short, simple passwords. How much is your email account worth to you, and how much is it worth to someone who wants to crack your account password? It was a stark reminder that we need to use strong passwords for the accounts that matter to us, like our U of M email accounts.
The SANS security organization distributes a monthly security awareness newsletter, called "OUCH!". The May issue (PDF) explores how to create strong passwords using passphrases and the best ways to protect them. In short: Avoid using simple passwords, like the name of your pet, or your birthday or anniversary date. Instead, create a long password that's very, very difficult to guess by using a passphrase.
A passphrase is just a string of words, such as time for my coffee. At the U of M, we recommend a few tips to choose a strong password, such as:
- At least 8 characters in length
- Contain both upper and lowercase alphabetic characters (e.g. A-Z, a-z)
- Have at least one numerical characters (e.g. 0-9)
- Have at least one special character (e.g. ~ ! @ # $ % ^ & * ( ) - _ + =)
Using those guidelines, a stronger passphrase might be Time f0r my coffee!.
SANS shares 7 recommendations for good password management:
- Use different passwords for different accounts.
- Never share your password with anyone else.
- Don't use public computers to login to sensitive accounts (like your bank).
- Be careful of websites that ask you to answer personal questions. These are used to help you recover your password if you forget it, but often the answers can be found on your Facebook page or via Google, so others can probably guess the answers too.
- If you have the option of 2-factor authentication (such as M-Key), use it.
- Close or disable accounts when you no longer need them.
Others recommend that your passphrase be a series of unrelated words. A passphrase like correct horse battery staple is extremely hard to guess, but fairly easy to memorize.