In the perfect world none of this would be necessary because we could trust each other not to break into each others houses, telephones, bank accounts or send the boss offensive e-mails using each others accounts. Unfortunately, this is not a perfect world. Passwords are necessary to protect the security of our personal information, our business and our day-to-day transactions and communications.
The standard "memory" tricks or techniques or using post-it notes, birthdays, wife's name, and stock words or phrases are not recommended. I remember one end-user that complained about the need to remember so many passwords and change them at regular intervals. His solution was to use his wife's name for three months and then his anniversary date for the next three and then revert to his wife's name. It's no wonder our secrets aren't safe!
When creating new passwords, remember two main issues: security and efficiency. Passwords should be too difficult to crack, but still easy to create and remember. There are some simple tricks that make this task easier. One simple trick is to use two words together. This confounds most simple brute-force attacks that simple run through a dictionary of words. Another method is to purposely misspell a word in some manner that is easily remembered. Use both upper and lower case characters, in an unusual usage (unUSual cApiLIzation). Many people swap numbers for similar letters, such as replacing the letter "O" with a zero.
Passwords alone don't offer sufficient protection, even when following these recommendations. The proper use of passwords must be combined with strict security policies, and an overall positive security posture or climate. Security will only work when implemented from the top down. Proper policies must be established outlining mandatory security procedures. This must be reinforced by effective network administration. Consideration must be given to password length, expiration and lockout thresholds. Additionally, passwords should be required to consist of upper-lower case, special, and numeric characters. Combining all these techniques forces a would-be hacker to use a brute-force technique that is extremely time-consuming. Generally, if it takes too long, they just won't bother! And that's just what we want. After all, if your information is worth having, it's worth protecting.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.