Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/24/2007
06:19 PM
Sharon Gaudin
Sharon Gaudin
Commentary
50%
50%

Advice On Building A Better Password

We're always hearing that we need stronger passwords, but many people don't know how to craft a better, stronger password or they simply don't take the time to come up with some crazy complex string that they have no chance of remembering. I was just talking with someone who gave me some great advice.

We're always hearing that we need stronger passwords, but many people don't know how to craft a better, stronger password or they simply don't take the time to come up with some crazy complex string that they have no chance of remembering.

I was just talking with someone who gave me some great advice.Marc Boroditsky, president and CEO of New York-based PassLogix, was talking with me recently about passwords and the trouble that weak ones can cause on a network or a personal computer. If you use a password that's easy to figure out (CFOs need to stop thinking they're clever using 'moneyman'), hackers will blow right by the weak defense. And if you use the same password for everything from your corporate login to your online dating site to your bank account, one solved password gives a hacker access to every online aspect of your life.

OK. OK. I know most of us know this, but it hasn't stopped us from using one lame password after another -- or using the same lame password over and over, year after year. It's simply a hassle to come up with strong passwords (a mix of letters, numbers, and even upper and lower case). And it's no picnic to have to remember them all, especially since Boroditsky told me that one-third of all users have 15 or more passwords. And the average user has 10 passwords just for their job.

Boroditsky gave me some good advice -- the structure he uses for his own passwords.

First come up with two to three letters for the name of the application, followed by a two to three letter acronym, followed by two to three numbers, which could be the year, a special date, or a special number.

It sounded a little confusing to me at first, but it's really pretty simple.

Boroditsky explained that he's a baseball fan so his acronym would be based on "go Yankees," so that it would be "gy." And say a special anniversary is Sept. 13, so his numbers would be "913." That means his password for an SAP application would be sapgy913. If it's a password for a Wells Fargo bank account, the password would be wfgy913.

Only the letters for the name of the application change. He noted that he might keep the acronym and date the same for three months, six months ... it just depends on what he's comfortable with.

This kind of password doesn't include any names, nicknames, or anything else easy for hackers to guess.

"There's no way you're going to guess that randomly," said Boroditsky. "It's personalized. And it's a little bit of a system to get back to the password when I need it. You could switch the sequence but always do it the same way so you can recall it when needed."

What about you? Have a fool-proof way of coming up with a strong password? If you do, let us know how you do it.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3200
PUBLISHED: 2021-05-18
Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service
CVE-2021-32305
PUBLISHED: 2021-05-18
WebSVN before 2.6.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the search parameter.
CVE-2020-20951
PUBLISHED: 2021-05-18
In Pluck-4.7.10-dev2 admin background, a remote command execution vulnerability exists when uploading files.
CVE-2020-23861
PUBLISHED: 2021-05-18
A heap-based buffer overflow vulnerability exists in LibreDWG 0.10.1 via the read_system_page function at libredwg-0.10.1/src/decode_r2007.c:666:5, which causes a denial of service by submitting a dwg file.
CVE-2020-24740
PUBLISHED: 2021-05-18
An issue was discovered in Pluck 4.7.10-dev2. There is a CSRF vulnerability that can editpage via a /admin.php?action=editpage