Risk
8/24/2007
06:19 PM
Sharon Gaudin
Sharon Gaudin
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Advice On Building A Better Password

We're always hearing that we need stronger passwords, but many people don't know how to craft a better, stronger password or they simply don't take the time to come up with some crazy complex string that they have no chance of remembering. I was just talking with someone who gave me some great advice.

We're always hearing that we need stronger passwords, but many people don't know how to craft a better, stronger password or they simply don't take the time to come up with some crazy complex string that they have no chance of remembering.

I was just talking with someone who gave me some great advice.Marc Boroditsky, president and CEO of New York-based PassLogix, was talking with me recently about passwords and the trouble that weak ones can cause on a network or a personal computer. If you use a password that's easy to figure out (CFOs need to stop thinking they're clever using 'moneyman'), hackers will blow right by the weak defense. And if you use the same password for everything from your corporate login to your online dating site to your bank account, one solved password gives a hacker access to every online aspect of your life.

OK. OK. I know most of us know this, but it hasn't stopped us from using one lame password after another -- or using the same lame password over and over, year after year. It's simply a hassle to come up with strong passwords (a mix of letters, numbers, and even upper and lower case). And it's no picnic to have to remember them all, especially since Boroditsky told me that one-third of all users have 15 or more passwords. And the average user has 10 passwords just for their job.

Boroditsky gave me some good advice -- the structure he uses for his own passwords.

First come up with two to three letters for the name of the application, followed by a two to three letter acronym, followed by two to three numbers, which could be the year, a special date, or a special number.

It sounded a little confusing to me at first, but it's really pretty simple.

Boroditsky explained that he's a baseball fan so his acronym would be based on "go Yankees," so that it would be "gy." And say a special anniversary is Sept. 13, so his numbers would be "913." That means his password for an SAP application would be sapgy913. If it's a password for a Wells Fargo bank account, the password would be wfgy913.

Only the letters for the name of the application change. He noted that he might keep the acronym and date the same for three months, six months ... it just depends on what he's comfortable with.

This kind of password doesn't include any names, nicknames, or anything else easy for hackers to guess.

"There's no way you're going to guess that randomly," said Boroditsky. "It's personalized. And it's a little bit of a system to get back to the password when I need it. You could switch the sequence but always do it the same way so you can recall it when needed."

What about you? Have a fool-proof way of coming up with a strong password? If you do, let us know how you do it.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.