Password Security: Are You at Risk?, Part 2

This is the second installment of a two part series on good password practices (part 1 is here).

You may recall that I previously discussed some poor and all-too-common password practices that people use. And while it's good for us to know what not to do, we also need to educate ourselves about the right way to choose and manage passwords. So without further ado, let's get started!

How Passwords are "Cracked"

To begin, a good password is difficult to guess. A good password will not be tied or related to any publicly known information about you, including your kid's names, pet's names, phone numbers, etc. You want to choose a password that no one could ever guess. Even more, a good password will not be found in the dictionary.

Why is this important?

One of the most popular ways to crack a password is through a method known as a dictionary attack. Just as the name implies, a dictionary attack cycles through a list of words and attempts to "guess" a user login. In this case, if any of your passwords include a word found in a dictionary, you would be well served to choose a different one. Note that a dictionary of words can contain any set of words, and not just those found in the English Language Oxford Dictionary, for example.

How to Choose a Good Password

Though everyone has slightly different criteria for choosing a password, I believe a good password is at least 7 characters long, includes a combination of letters, numbers, and symbols (! @ # $, etc.), and is easy to remember. After all, if you can't remember your password then what good is it?

Secondly, a password should be changed on a regularly basis (every 60 days, for example). Sometimes it could take several weeks to crack a strong password, so by changing them every 60 days, it makes it very difficult for an attacker to guess your password.

Another good tip is to keep your passwords unique: one per computer system. In today's Internet, we have passwords for everything -- Amazon, eBay, online banking, and the list goes on. Though it's ultimately a trade off between security and manageability, ensuring your passwords are unique per system mitigates risk in the event that one of those passwords becomes compromised.

Finally, a good password practice is to keep them to yourself! That includes not sharing passwords with friends or coworkers, and that also means not writing them down. I don't think there's a corporation in the world that doesn't have a handful of employees who insist upon writing their passwords on sticky notes for easy reference. And while I agree this is convenient, it is not without cost. Remember, security can sometimes be the opposite of convenience.

How to Remember a Strong Password

I'd like to close this series by sharing with you one of my favorite tricks for coming up with a strong password. As I stated above, a strong password is difficult to guess yet easy to remember. To facilitate meeting that requirement, I will often take a common phrase or quote and use the first letter of each word to generate my password. For example, Home Depot has a slogan, "You Can Do It. We Can Help!". Using this example, a strong password might be:

YcdiWch!

Notice I mixed up the capitalization a bit, and appended an exclamation mark to the end. You could further strengthen this password by adding a number; for example, you could either put a "1" in place of the "i" (a resemblance between those characters), or perhaps add a "2" at the end of the password to signify that the password is comprised of two sentences. Doing this, our password would become:

Ycd1Wch!2

As you can see, this is a very strong password that meets all of our requirements: it's at least 7 characters, uses a mixture of capitalization, and includes letters, numbers, and special symbols. Furthermore, it's easy to remember since it's based off of a popular slogan.

All of this makes a powerful method to generate strong passwords. Couple this password with sound password management practices and you're well on your way to mitigating the risk of a password compromise!

For more great tips like this one, be sure to download David's free security newsletter to your mailbox, today!