Picking a good password

Why do we need to have a "strong" password?

Currently, passwords are our only protection against the confidentiality of data, since they are the only part of a username/password combination that truly remain secret. This protection extends to your company data, in the case of information that is protected with your Windows logon, to your own personal data.

Current viruses and worms come pre-programmed with a large list of weak or common passwords, allowing them to access your machine effortlessly if one of these passwords match the one on your account. [Note that now, some viruses have started to target accounts in applications such as Microsoft SQL or MSDE that have weak passwords. It is important to be aware to choose strong passwords in applications as well as for login accounts.

What are some things to avoid when selecting a password?

Never use the name of a pet, spouse, or child as a password, as these can be obvious choices to anyone wishing to attempt to access your account.

Telephone numbers, birth-dates  and other personally identifiable information are also not a good choice, as they are also easily guessed.

Words that are in the dictionary of any language are also poor choices. Many programs designed to guess password are programmed to try these passwords first.

Simple substitution (i.e. changing '1' for 'I' or '2' for 'Z') is not a good strategy, as many password guessing programs takes these sorts of substitutions into account.

What are some good strategies to selecting a good password?

The paradox in the security of passwords is that in order for a password to be strong is that it needs to be hard to guess. In order for it to be useful to the person who needs it, it needs to be easy to remember. If it is hard to guess, it is not usually easy to remember. The trick is to make the password something that is meaningful only to yourself.

For example, you could take the phrase "I like to eat Apple on Sundays."
(Assuming that you do like to eat kiwis on Tuesdays.) 

• This can be abbreviated as ILTEAOS.
• By inserting some special characters into the phrase, this can be expanded to IL&TE$AOS.
• By adjusting the case of some of the letters, you can make this even more difficult to guess: Il&tE$aOs.

Therefore - you have your own personalized password that is easy for you to remember, but very difficult for someone to guess.

Of course - keep in mind that this example, and any others that you may read on-line would be bad examples to use for passwords, as they as people with bad intentions can read them just as easy as you can.

What are some good strategies to protect my password, now that I have chosen a strong one?

Never write your password down on a post-it-note, or try to hide it somewhere around your workspace. There truly are not very many original hiding spaces, and anyone who has access to your office would have an opportunity to find this valuable secret.

Never provide anyone with your password. No one needs to know your password but you. If you forget your password, support personnel have the ability to reset your password, but you should never be asked to reveal your password.

There is mention of "strong" passwords, but not "secure" passwords. Why is this?

This is intentional. Passwords are generally not considered secure, since it is only a matter of time before a password cracking program will be able to decipher them, or guess them through brute force. This is one of the reasons that it is required to change your password regularly, currently every 3 months. As computers become more powerful, cracking passwords becomes faster, and the need to change to a new password more frequently becomes even more important.

Until then, you can always follow the advice of Clifford Stoll, and treat your password like a toothbrush:

o    Get a good one o    Use it every day o    Change it regularly o    Never share it with anyone.