Secure Passwords
Thursday, March 2nd, 2006Way back on episodes 4 & 5 of the Security Now Podcast with Steve Gibson and Leo Laporte the topic of discussion was “Personal Password Policies”. Most people know that you should change your passwords every six months, but how many that actually do go through the trouble of doing that actually come up with something more than just using their dog’s name or favorite color?
Of the various techniques mentioned in the podcast, there were at least two that I had already partially implemented in my own password creation routine. The first is the idea of a tiered-password system. For example, you may have one password for your banking and other high security logins, another for email and shopping sites, and a less secure password for general sites that require registration for some annoying reason. This way if someone managed to figure out your password for MySpace they wouldn’t also have the password for your bank account. The second idea is blending a word (maybe the name of your dog or something else you may be tempted to use as a password alone) and hashing it with a number. So if your dog’s name is Sparky and your zip code is 12345 you would end up with the password “s1p2a3r4k5y”. It should be fairly obvious why this password is significantly more secure than just “sparky”: it can’t be found in a dictionary, at over 10 characters it’s definitely long-ish, and by mixing two separate components someone trying to figure out your password would not only need to know two significant things about you, but also how to combine those elements.
The new ideas I learned from Security Now were additional methods of coming up with the components of a mixed password and also unique ways of combining those elements. For example, instead of using “sparky”, you could use the domain name and insert digits (phone number, zip code, birth year, etc.) in a predetermined way creating a unique password for every website. For added security you could then swap every other pair of characters or maybe add 1 to every other digit or something along those lines. If you go this route, then instead of just coming up with a different password for each security “tier” you could come up with unique algorithms for password creation at each level instead with maybe just the lowest security priority tier having a identical strong password while the higher security tiers are uniquely created dependent on the domain name or something of that nature.
I know I probably didn’t really explain this clearly so if you are interested in coming up with some really secure password methodologies, I really recommend listening to the podcast linked above or just ask questions in the comments and I can elaborate. Now though, it’s time for me to go change some passwords!