Secure Passwords: My Thoughts

Earlier today I was reading on the Huckleberries blog at the Spokesman Review website, a blog about password security and just how BAD some people's passwords are. http://www.spokesman.com/blogs/hbo/2011/nov/23/worst-computer-passwords-...

Bad passwords are a pet peeve of mine. An 8-character mixed-case password using letters, numbers, and symbols can be "guessed" by a reasonably fast computer within a day. About 3 hours according to howsecureismypassword.net. If you tell that computer to focus first on these common, unsecure passwords, then focus on dictionary words with c0mm0n r3pl4c3m3nts, that process will go much faster.

My secure passwords used to be variations on pop characters I like, but would be difficult for other people to guess without knowing me. For example, a password might have been C4lv1n&H0bb3s. That is actually a relatively secure password. Those aren't common dictionary words, it uses numbers and mixed case letters (even though the numbers are common replacements), and it uses symbols. It is also 13 characters long, which would take quite a while for a random-guess computer algorithm to find. It's main flaw is that if someone knew me personally, he or she would be able to have a reasonable guess as to which characters I might use, and could guess the replacement pattern pretty easily.

A lot of password misuse is from people we know, unfortunately. Just like identity theft.

With current password rules for many applications we've actually decreased security by suggesting using a string of random numbers and characters that are easy for a computer to guess, but difficult for us to remember. So many people default to these easy popular passwords, or choose ones that are easy for people we know to guess.

A better way to go about it is to use a passphrase. For example: "I really love my cat, Tommy." Ir3allyl0vemycat,T0mmy. This is easy to remember, but difficult for a friend or family member to guess the exact phrasing, replacement pattern, etc. It is 23 characters long using mixed case, numbers, and symbols, which would equate to 9 octillion years to crack using random replacement on a desktop computer. Best of all, you can keep a picture of your cat at your desk to openly remind you of the password. You could even write the raw phrase down somewhere, and someone who found it might think it's weird, but wouldn't equate it to a password. Even safer? Put a space or two at the end. This isn't visible if you write your phrase down somewhere, and is extra security if someone does equate the written phrase to a password.

There is really no excuse for not having long, secure, but easy-to-remember passwords.