Creating Strong Passwords

I was writing a presentation recently on encryption and one of the important things to show in the presentation is the use of strong passwords. Many of the encryption functions will use passwords as an alternate way to secure keys, and I hate showing bad habits, like “mystrongpassword” in examples.

I searched around and find some interesting tricks for creating strong passwords. These were two guides that I liked:

There are some good items in there, including the use of phrases and suffixes instead of trying to build some long word that you can easily remember. Personally I use a combination of techniques, and so far (knock on wood), my passwords have been fairly safe. At least as far as I know.

I also use Password Safe to store passwords for various sites and I keep that in synch with Dropbox across my desktop, my iPhone (pwsafe), and my Macbook Air (Password Gorilla).

This site also has tricks, but an interesting password tester as well that helps you score your passwords. A few of mine score in the mediocre range, which has me rethinking them and adding a few more characters to the length.

Lastly, if you hate typing passwords, and I completely understand that, learn to type. The better you type, at least those items you type a lot, the less hassle better security is for you.

About way0utwest

Editor, SQLServerCentral
This entry was posted in Blog and tagged , . Bookmark the permalink.

4 Responses to Creating Strong Passwords

  1. Here is what I do, which I’ve been doing for about 10 years now. Seemed pretty obvious to me at the time, but I’m surprised more people don’t do this.

    Basically you use a simple word mixing formula.

    First pick you root word, this is a word that will be a component of every password you create. Let’s use “Working” as an example, and do some letter substitution like: “W0rk!ng”

    Now decide on a pattern for adding new words to this. The simplest is simply using a suffix, but it could be any pattern (here “r” represents a letter from the root word and A a letter from the added word), like rrAArrAArrAArr

    Now, lets say that you want to setup a password for your Bank of America online banking account, you password would be something like the following (using the pattern rrArrArrArr):

    W0brko!nag

    Or, more simply it could be:

    boaW0rk!ng or W0rk!ngboa or boa#W0rk!ng, etc., etc.

    The thing is, whatever pattern you decide on, always use that pattern.

    Now, I actually have 3 different root words, and my own particular set of rules for using each root word. Each root word goes to different types of accounts, for example on-line vs. personal desktop/mobile devices vs. work related. (Always use a different root word for work related stuff since you may need to give that password to people).

    Given this, I never have to write passwords down or record them in any way, and I’m always able to *figure out* what my password is. This is important, you don’t need to memorize your passwords this, you just have a set of rules that allows you to always figure them out, yet it allows you to always create a new password for every account.

    I’ve gone back to websites 5 and 6 years after the last time I visited them and been able to easily figure out my password and log into my accounts.

    The only downfall of this system is that it does pretty much lock you into the root words you use for a long time, perhaps forever, and if you have to divulge your password to someone and they understand what it is you are doing, they could in theory figure out how to crack your other passwords, but I consider this a very minor possibility for most people. Far less than the possibility someone finds your written list of passwords or cracks into your password vault, or you something lose your password vault. The only other issue is when you have to reset your password for some reason. Since the rules are pretty strict, there is really only one possible password you can have for any given account, but for example at work you may have to change your password every 6 months or something. In that case I just use the rules and append a number to the end of the password with each change.

    So anyway, that’s my system, and as far as I’m concerned, it one of the best there is.

    Like

  2. Great point, this is always a good topic to review. As mentioned in
    ‘Database Security Best Practices for the Vigilant DBA’
    http://technet.microsoft.com/en-us/security/gg483744

    Maintain Strong Passwords: There is No Excuse; the DBA Is Accountable
    … Password Manager Pro from ManageEngine, and keep it in a password vault. Password strength is facilitated by free online password generators that use a password length of 12 alphanumeric characters. Avoid default passwords or cutting and pasting a user name (or a using a password name that describes the level of access). Needless as it may be to say, these are not shortcuts you want to take, especially since simple software (e.g. SQL Password Checker, mentioned above) can verify password strength.

    Here is a great password generator: http://www.techzoom.net/tools/password-generator.en

    Like

  3. Jeff Moden says:

    There are several problems with all this “strong password” stuff. Many companies don’t allow but a small handful of special symbols, have max lengths for passwords in the area of 8 to 10 characters, and have no lockout/retry-time-period mechanism to prevent bots from hacking.

    I’m certainly not suggesting that “strong passwords” aren’t necessary. On the contrary. I’m stating that you simply can’t use them for many logins and companies need to change their password policies to support them.

    Like

  4. way0utwest says:

    Very true, but we have to get the word out and more companies to understand that longer, stronger passphrases are important to protecting our systems.

    Like

Comments are closed.