I go on and on about security and specifically password complexity but I should probably write something specifically about the strength of complexity of the passwords you choose.
Lets first look at passwords you shouldn’t use: people, pet, book, film and place names are a massive no no. In fact, just don’t use any name. Their exceptionally easy to guess or obtain. Do not use dates of births, you’re lucky lotto numbers, your phone number or your house number. Again, you don’t want to make it easy for someone to guess your password. Even if they can guess some of it it will still make it considerably easy to hack. Finally, unfortunately, it’s no longer enough to just replace letters with special characters when writing words. For example, you cannot write the word Dublin as Dubl1n. Look up dictionaries are used by automated password hacking programs to check for this type of thing.
There is one form of brilliant password but I’ll explain that to you in a moment.
For a traditional password I suggest you use the following rules when creating one.
- The password should be a minimum of 9 characters. Notice it’s not 7 anymore? Unfortunately, as password hacking programs evolve, the complexity and strength of passwords must evolve faster.
- A password should contain a minimum of 2 uppercase letters, 2 lower case letters, 2 symbols and 2 numbers.
- You should never write down your password.
- You should change passwords every 30 to 90 days depending on the importance of the data or system you are protecting. For example, I change my main password manager’s password every 14 days. This protects my other passwords so it’s important that it’s regularly updated. I have a password that I use for my test Linux virtual machine. This is updated every 90 days because it’s not protecting any important data and it’s only connected to a hand full of systems.
An example of a secure 9 character password is:
I try to stay away from using symbols such as the at sign and the quotation mark because these can symbolise the end of a password in some systems so they may cause conflicts. Of course, I choose the characters in my password based on the application it’s protecting so that I have some way of remembering them. This might mean that for a Linux box running Fedora I start the password with a capital F. Of course, it goes without saying that I’m giving misleading information here as I’m not going to be stupid enough to give you a hint that would empower you to hack my passwords but the policy I follow helps me to remember my various passwords while being completely obscure to everyone else. The skill of creating highly complex passwords is something you learn over time. Everyone has their own technique, their own standards and their own way of remembering passwords. On the point of remembering passwords, remember there are applications out there specifically designed to help with this.
Taking a step forward away from passwords, we have pass phrases. What most people don’t realise is that standard password fields generally don’t have a maximum limit. Or, if they do have a maximum size it’s about 250 characters. Why not use sentences or phrases instead of passwords. Of course, these phrases can’t just be words and names. That would become equally easy to hack all be it over a longer duration. That’s something I should probably mention. The longer your password, the longer on average it takes for a password hacking tool to determine what it is. Therefore a pass phrase should cause password hacking tools to take much longer to hack your account. The longer it takes to hack an account the more likely it is that the systems intrusion protection system or firewall will recognise the attempts and block the offending systems IP address.
Good pass phrases will be a sentence that include as many letters between A and Z as possible. Of course, like passwords, it’s great if you can add in a few capital letters, numbers and special characters.
For example, a great pass phrase is something like this:
The big brown dog jumped over the lazy fox.
Written in a strong pass phrase this would become something like:
Th3 b!g Br0wn D0g Jump3d 0v3r Th3 l@zy F0x.
Ok. I’m replacing letters with symbols and numbers here. That’s not always a good idea but it at least gets us started.
I use a pass phrase like this for almost every important system that requires a password. So should you!