Risk
8/24/2007
06:19 PM
Sharon Gaudin
Sharon Gaudin
Commentary
50%
50%

Advice On Building A Better Password

We're always hearing that we need stronger passwords, but many people don't know how to craft a better, stronger password or they simply don't take the time to come up with some crazy complex string that they have no chance of remembering. I was just talking with someone who gave me some great advice.

We're always hearing that we need stronger passwords, but many people don't know how to craft a better, stronger password or they simply don't take the time to come up with some crazy complex string that they have no chance of remembering.

I was just talking with someone who gave me some great advice.Marc Boroditsky, president and CEO of New York-based PassLogix, was talking with me recently about passwords and the trouble that weak ones can cause on a network or a personal computer. If you use a password that's easy to figure out (CFOs need to stop thinking they're clever using 'moneyman'), hackers will blow right by the weak defense. And if you use the same password for everything from your corporate login to your online dating site to your bank account, one solved password gives a hacker access to every online aspect of your life.

OK. OK. I know most of us know this, but it hasn't stopped us from using one lame password after another -- or using the same lame password over and over, year after year. It's simply a hassle to come up with strong passwords (a mix of letters, numbers, and even upper and lower case). And it's no picnic to have to remember them all, especially since Boroditsky told me that one-third of all users have 15 or more passwords. And the average user has 10 passwords just for their job.

Boroditsky gave me some good advice -- the structure he uses for his own passwords.

First come up with two to three letters for the name of the application, followed by a two to three letter acronym, followed by two to three numbers, which could be the year, a special date, or a special number.

It sounded a little confusing to me at first, but it's really pretty simple.

Boroditsky explained that he's a baseball fan so his acronym would be based on "go Yankees," so that it would be "gy." And say a special anniversary is Sept. 13, so his numbers would be "913." That means his password for an SAP application would be sapgy913. If it's a password for a Wells Fargo bank account, the password would be wfgy913.

Only the letters for the name of the application change. He noted that he might keep the acronym and date the same for three months, six months ... it just depends on what he's comfortable with.

This kind of password doesn't include any names, nicknames, or anything else easy for hackers to guess.

"There's no way you're going to guess that randomly," said Boroditsky. "It's personalized. And it's a little bit of a system to get back to the password when I need it. You could switch the sequence but always do it the same way so you can recall it when needed."

What about you? Have a fool-proof way of coming up with a strong password? If you do, let us know how you do it.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.