Passwords - a guide to managing them with less personal risk

Summary and examples

Allowing passwords to be compromised is unavoidable in many situations, especially when using low-grade web sites or trivial technology where they are often stored with no protection at all.

Compromised passwords can easily become a 'ladder' up which an attacker can climb to reach their financial and 'ownership' objectives over whichever of your assets are most attractive to them. It is therefore critical to think and use your passwords in terms of 'levels' or zones that you keep each of them very distinct so there is no 'ladder' to climb.

To create these 'levels' you simply need your own set of 3 separate levels (inc. rules) plus 'special' levels for the very most risk-laden sites that you use for creating passwords you can isolate the risk you take between 'serious' and 'trivial' levels and keep them easy to remember despite them being difficult to crack by brute force or dictionary attacks.

You must have at least three because 'trivial' web sites don't even protect passwords at all so they need a separate level to themselves. The other two (or ideally 3) levels have to separate those organisations that you can trust from those that you can't.

These rules can be simple - adding just 2 unrelated uppercase letters to a typical lowercase password can easily make it a thousand times stronger! Try the Password strength calculator below to test yours!

Technological loopholes are plentiful but as at Oct 2007 the very weakest are: e-mail, Wireless routers and PCs plus any mobile technologies such as 'phones, PDAs, Laptops etc.. see Technologies at risk if you want to know why.

Summary over but in case you need examples...

The worst possible passwords are (worst 1st!): Click here to show and here again to hide...

Then if you haven't done any of the above and you haven't widely publicised personal information about yourself (e.g. MySpace, YouTube, Facebook et. al.) and you aren't a millionaire then there is a reasonable chance that the resources and time to launch an attack specifically aimed at you would be high so you can expect them to be used by governments and other(?!) serious criminals targetting high-net-worth individuals. Bear in mind these types of attack will get easier and therefore more common so there is no room for complacency.

The latest (December 2007) critical items

Because there are many technologies which you need to interact with in setting passwords there are several which are of particular importance and need special and potentially urgent attention (most critical first):

1. Wireless router login and network passwords - in brief you need to change both of them to 2 different and strong passwords and use WPA as the network security protocol
2. E-mail passwords should reflect that many web sites will allow a user to 'reset' their password by getting the user to make the request at their site but then to send them an e-mail which has a link or code which will allow them to re-gain access to the site.

   Some seriously low-grade sites will even send the existing password in the e-mail which is even worse than when you ring a call centre and THEY can tell you your password! The fundamental rule for password keepers is that they are only ever stored in an encrypted manner which is one-way i.e no-one and nothing should ever, ever be able to find out what the original password was.

3. Despite the attempts of Microsoft to 'plug' the multitude of loopholes in Internet Explorer I recommend changing the settings - see Detailed IE Internet Zone Config. However to avoid losing functionality on some sites you then need to promote them to the 'Trusted' (or 'LAN') zones (see How to trust a web site) so an easier option for some people may be to download and use Firefox http://www.mozilla.com/en-US/firefox/ for normal surfing and only use MS IE for very specific sites that you trust or cannot avoid such as Windows Update!
4. Windows login passwords - this is a huge topic in it's own right but simply:
   • Any release of Windows prior to XP with Service Pack 2 (SP2) has no significant password protection whatsoever
   • By default, the shortest possible XP password that is secure is 15 characters long
   • The good news is that unless your PC has been compromised (see list above) then the attacker would need physical access to your PC for 2-3 minutes to extract the password data.
   See http://en.wikipedia.org/wiki/LM_hash for a brief description of how bad XP is by default. Also see http://www.theregister.co.uk/2005/11/10/password_hashes/ for an article on the topic. Bear in mind that as it is more than two years old so cracking and other capabilities will probably have quadrupled by now.

How do the attackers operate and with what resources?

Methods of cracking passwords vary but a wide variety of dictionaries are used extensively, including (stolen) databases of passwords from prior work! Brute-force cracking is an alternative method - trying every possible combination of characters from those keyable or a subset.

The former is why it is essential not to solely use words, names, places etc. and the latter is why the length and variety of characters used within the password is critical. Your algorithms need to be very different and the more important ones of which should add complexity (not just length) and variety - also see note*².

The basic methods of gaining access to a password depend upon what else you can 'reach'. For instance, if you can gain access to a PC's hard drive, even through a (wireless?!) network there is a good chance that the PC's and web passwords can be stolen relatively quickly and easily - probably brute force guessing of the (encryption) key is easiest as tens of thousands of those per second can be tried even on a modest PC.

If you don't have access to the actual hard drive - for example a password on a web site then attacks based on names plus words from dictionaries plus slang etc. might be the most effective. Even the most basic interactive web site should however limit the number of attempts and react against repetition so there are other 'tricks'...

If your browser settings are 'weak' or you allow software to run which is more that the bare necessities then there is a plethora of online attacks which only need you to visit a page of the site for your PC to become compromised and left open to the possibility of your passwords being passed on to web sites that you really don't want to have them! Bear in mind that this is a major attack-vector from the Spam e-mails that you receive that have links within them!

As it is becoming much easier for criminals can gain control of your wireless router (see background reading below) then that makes the last item very easy as they can change the way in which the router directs you to web sites, e-mail servers etc.!

The last two paragraphs are about how passwords can be stolen rather than hacked and if you allow your defences to drop and that happens then the strength of your password is irrelevant - however, if you adopt the policy of 'levels' advocated on this page then you stand a CHANCE of limiting the damage but that still depends on how badly you have compromised your PC or whatever allowed a password to be stolen.

What you can do and at what cost

As stated above and is detailed in background reading below - there are two specific passwords which must be ultra-secure - your router and if there is any chance of remote or local access to your PC - that of Windows XP login too. Your e-mail password should already be fairly strong because it is typically allocated by your e-mail service provider but that needs to be checked.

Despite lots of technology options there is unlikely to ever be one that encompasses all that you want and yet remain as accessible but secure as you need. The best you are likely to get is one that manages your web site passwords.

Even when you have a tool such as the password manager within Firefox (open software replacement for Internet Explorer) you need some way of creating the passwords and as well as using them to also retrieve them en-masse if critically needed. There is a password export add-on but it would be better as part of Firefox but that is another story.

Creating your own algorithms to add the complexity that passwords need

Because some web sites and technologies are just so easy to compromise it is essential that you have some really 'low grade' passwords because you cannot afford to let an attacker get onto the first step of the ladder of escalation that could lead to serious impact on your wealth and health.

If 'algorithms' sounds complex - don't worry - it can be as simple as this for each level 1-4:

1. The password for level one (lowest!) could be 'Easy2type' - i.e. fixed, not even a real algorithm*³
2. Level 2 passwords could start or end with 'L2' and 'secret1' - choose your own set of 5-8 characters where:
   • You choose your own 'L2' but deliberately include 1 upper case character and 1 number to make it more difficult for the brute force attackers. Please make your own decision about where the two characters are used although it is limited with just two.
   • 'secret1' is something which you are sure is (1) not known as a word that you or other related people would normally use and (2) not in common use and (3) has some form of mutating effect applied to it - removing all of the vowels is easy and for this level (#2) you may regard that sufficient.

   Then you add something specific to the organisation that you are creating the password for but if you are making it trivial - e.g. BA (or ba) for British Airways (or worse still virgin!) then make the fixed piece longer because you can assume that hackers will assume they need to try adding the names and/or acronyms of a site to each set of attempts.

   So if I was using the BA site and I had chosen 'Z4' for complexity and 'bovril' as my secret then the password could be 'Z4bvrlBA' or '4bvrlBAZ'. Do not use this grade of password with any resource that would cause you any significant pain if it was compromised as these passwords are not strong enough.

3. Level 3 should be a lot harder and a lot different, so in comparison with the L2 it could be 'XXsecret1YYsecret2ZZ' where the XYZ's are places that you could introduce the non-lowercase characters as in 'L2' above. At this level deliberately include a punctuation character as well as 1 each of upper case, numeric to avoid the brute force attackers for example '9,A', you MIGHT not be able to use all punctuation but hopefully you will find 1 character that will be OK.

   The rules for secret1 and secret2 could be the same but should not be the same mutation that you have applied for level #2. If there is a choice then choose the 'secure login' option when signing in to these sites - I would be slightly suspicious of the quality of their I.T. systems if that was not possible and you may want to try the 'reset password' facility to see if they make the classic mistake of sending you a copy of your existing one - if they do then the site cannot be trusted higher than a level 1 because of their obvious incompetence OR you have to make them a (written?) exception with a password that has no algorithmic content - just 8-10 semi-random characters of your choosing.

   So if I was using eBay and I had chosen '9,A' and for complexity and 'green' as secret1 and 'cat' as secret2 then the password could be any of '9ebgreNcT,A', 'greN,eb9AcT' or 'AebgreN,cT9' as examples if I chose that order and logic (Capital last + remove first vowel) - again please choose your own. Passwords of this length and complexity are fit for any single web site that you trust! - the only exposures to them being cracked (as opposed to being stolen!) are:

   1. By default, Windows XP would allow them to be discovered in hours if the PC is compromised as it splits them into 2 * 7 characters if a set of Rainbow tables encompassed the characters used. Access to the PC would only need to be 2-3 minutes as it is a very small datafile that needs to be copied. The attacker could then return with the cracked password and log in immediately whenever they had the opportunity.
   2. If you spread these across a wide range of web sites and one of them got attacked such that your raw password was exposed (stolen really!) then a human being MIGHT decide that 'eb' was eBay or that 'ba' was British Airways and make a very educated guess that the rest was 'static' for this level and therefore try the appropriate equivalents on other web sites where you have user names IF they know them.

   Web sites at this level should be securing their web site with a padlock (https or SSL are the technical terms) for the login process at a minimum and you should be cautious when using any that don't.

4. You may be surprised that I would say that level 4 only needs to be a bit harder but a lot different. The reason is that the level 3 passwords are already good BUT you don't want to use your level 4 algorithm for anything more than 3-6 sites which you deem as absolutely rock solid and of extreme risk because you don't want the exposure in 3b above.

   Bear in mind that many organisation that you would want to protect at this level will allow you to use a variety of punctuation characters so you may choose to use more than one.¹¹ However there are some web sites in particular that attempt to avoid keyloggers by presenting a virtual keyboard or mouse-selectable choices. Sadly these sites often limit the characters that can be chosen to lower case alphabetic.

   Web sites at this level will certainly be securing their web site with a padlock (https / SSL) and you should be extremely wary about any that don't do this for the whole "session" - even if the login does.

   However, the same basic escalation principle applies - better secrets - probably still only 2 needed but add another if it is still memorable but not (at all) predictable such as 'free beer tonight'. The mutation at this level should be very different but doesn't mean it has to be more complex - ommitting just the letter 'e' from each of the secrets or just the first vowel is ommitted!

   I am deliberately not giving many suggestions or examples for level 4 because you should have seen from level 3 what needs to be done and you should decide on your own method of making it slightly harder but very different algorithm just in case level 3 was compromised.

   Even if a hacker is still reading this page - I doubt they will still be interested except for the thoughts of their own pleasure if they could break into my own bank account!

The above is all about avoiding a 'ladder of escalation' which could arise from the fact that many devices and web sites provide no real protection of your passwords and other secrets. The analogy is with the lamp posts found in areas that are the target of vandals - there is a ring fence with downward-facing barbs towards the top - the advice here is simply making that a taller, multi-tier equivalent. You will always get 'hackers' around the base and some may get above the first tier but only serious, intentional attackers could get to the top!

When AT HOME - what you can write down to help you remember

An office is normally much more insecure than a home and as such it would not be sensible to document anything on paper when there. However, if you consider the risks of theft or discovery of paperwork at home that relates to passwords, PCs etc. then you MAY have the option to conceal your secrets, algorithms etc. somewhere secure or obscure e.g. with other seemingly worthless paperwork BUT as long as it is physically not close to your PC, valuables, critical paperwork - passports etc. unless you have a safe which you can trust.

Firstly - something that you CAN document - even on a PC! You will find out that SOME sites are awkward about the characters they allow or other such 'rules'. It isn't actually any significant exposure to have a Word document or similar PC file which documents these anomolies as the information is not only in the public domain but the hackers know these things far better than any of us. IF you document your algorithms at all then you might have also find a way of documenting what you do if:

• No punctuation is allowed - type the word? - 'comma' rather than ',' for example
• Numbers aren't allowed - don't simply use an s for a 5 for instance but think of your own approach
• Passwords have a minimum OR MAXimum length - what will be your approach

Noting the restriction in a PC document is not a problem and can be referred to whenever you have a problem with a password, your own method of coping with the restriction needs to be kept secret and not on a PC!

Hopefully you can devize algorithms and secrets that can actually be remembered but there is a chance that you need to remind yourself of either - perhaps more likely in the first weeks and months.

By avoiding technology and keeping information in a place away from your PC - ideally in a Firesafe or at least a place where burglars or other unwelcome visitors are unlikely to be interested. Try to keep the secret information away from the rest if you need to record it at all - you MIGHT even want to draw the visualisation of your secrets with crayons so that it looks like a child has drawn it for you. The example of the green cat near a cup of bovril would match the examples above and two apples could mean '2' and 'A' are your

What to choose as your secrets - ideas but not to be used 'as-is'

To make a secret memorable it needs to be latched into more than the logical side of your brain - ideally it should be one or more of:

• A fact or idea or phrase that is already in your memory that no-one else knows - to condense phrases you can use first letters of each word as the phrase is obviously not in common use. A playground / schoolroom incident or something from early childhood that already happens to stick in your memory is ideal
• Something which you can visualise AND find humerous, rude or otherwise memorable
• Something rude or intensely personal but avoid the obvious mistake of simply using the name of someone famous for their 'looks' or sexual/slang words.
• Something that someone would have great difficulty in finding out even if they tried - the end of a telephone number or car registration that you can remember from childhood but was not owned by you or your family.

Please don't use the above examples as they are now insecure because this is a web page accessible to the world. Please note that it is imperative that you decide and then stick to your own algorithmS.

Just in case it isn't obvious - making the password algorithm for your 'high risk' level/zone very different to that of your other zones means that you don't put at risk those assets protected by the former if any of the other password algorithms are 'cracked'.

The rationale for making the above algorithms rather than all (but the first) being a fixed set of characters is twofold, see*² BUT a variation of that would be to change one of the secrets to something obscure but that you can remember relating to some aspect of the resource instead of adding some part of the name or acronym of the resource, see note*² for a better approach.

The financial cost of your own mental algorithms is zero but you need to be vigilant and aware of the risk hierarchy - the classic case being the e-mail password which at first appears to be relatively low risk but in fact could allow a criminal to:

1. Request a password reset at a more critical site to be sent to your e-mail address
2. Action and then delete the e-mail while you are 'offline' e.g. 2am or on holiday which gives them plenty of time to interact and attempt escalation.
3. Use the password to further 'climb the ladder' or 'hit and run' with the assets they have access to from this procedure.

There are many potential sources of inserts for passwords but I will not document them here - e-mail me if you want those suggestions. The WORST possible sources of password material are sometimes ones that were (and even still are!) recommended - the classic "mother's maiden name" being almost as bad as dates of birth. Bear in mind that some attackers will have several items of information specifically about you - national insurance number, date of birth, mothers maiden name, car registrations etc. etc..

Even past 'wisdom' was not very well thought through, as an example the use of the 'first letter of each word of a song sound-bite' simply gave hackers another dictionary to try as well as all the words, names, place etc. which are tried.

Bear in mind that if passwords are not memorable then they will be written-down which is unlikely to be very secure unless it is accompanied by physical measures such as a safe. That also introduces the problem of losing the password due to theft, fire etc..

Choosing user names - you may not get a choice at level 3/4 but...

As long as the attacker doesn't have TOO much access to information (e.g. taken over your PC with a Trojan!) then it may not be easy for them to find out what other user names you have at different sites / technologies.

Although it might seem that it is adding pain and complexity but it is well worth choosing different user names for the higher levels because they can stop password betrayal (see WikiPedia link) which I am certain is one of the very first and automated attack as soon as the attacker find a password - try exactly that user name and password combination at eBay, MSN, Banks and every other web site that doesn't detect scripted logins.

Do not use the same approach to making passwords unique as you do with user names at different sites - e.g. not babrian or brianba at the British Airways site if that was your choice to add to the password.

Known issues and what you can do

If you need to use your passwords in multiple countries then you should consider not just the fact that some keyboards will not have certain symbols but also that you will be keying characters 'blind' as they appear as '*'s and choosing a 'Q' would mean that French and English keyboards could cause you a problem - the UK has 'QWERTY' and France has 'AZERTY' for instance.

The lack of 'best practices' in the I.T. sector leaves many doors wide open that shouldn't be necessary. Classic problems are (stupid!) web site developers who dictate excessive rules such as:

1. Numeric only passwords (was HSBC! - and was fixed length of 6!!!)
2. Letters (a-z) only passwords (is Virginmedia! when calling them but numerics ARE allowed online!)
3. Always start with a letter (very common)
4. Always include a number
5. Always have at least one lower case letter
6. Always have at least one upper case letter
7. Always have at least one special character (123-reg). For example but not exclusive to: (ª`!"œ$%^&*()_-+={}[]~@:;'#?<>,./|\. I deliberately just keyed these in as 'plain text' and I am sure you will see odd characters where the pound (£) sign should be and maybe other problems, especially on non-UK monitors and keyboards. This highlights some problems the developers were trying to avoid and the previous paragraph.
8. Always be at least six (7,8,?!) characters long
9. Be shorter than 10 characters long
10. Be a fixed length (was HSBC)
11. Unpredictable failure when using SOME special characters (Netgear!)
12. .
13. .
14. .
15. .
16. Contributions very welcome! Ed.

The solution tends to be to anticipate these stupidities by having your algorithms comply with SOME of the rules... obviously not all because these 'people' have made that impossible. So having 1 lower and 1 upper case character plus a numeric as part of each of your algorithm would cope with MOST of them other than you would need exceptions if you have to deal with organisations which adopted items 1 and/or 2 above - see 'What can you write down'!!!

In terms of your highest risk passwords you should try to use more than one special as the number of sites (or your PC) is small and you can work out the highest common factor (not LCD) to get them to abide by 1 algorithm.

Background and further reading

Passwords on Windows - a particular risk

XP and prior versions all have the same exposure by default. Not only is the password cut into two 7 character halves but the algorithm for encrypting each half is flawed because it 'lacks salt'! The latter allows software to create 'answers' that are unique to that computer rather than completely repeatable on all computers which has allowed hackers to create what are called 'Rainbow tables' to reverse-engineer passwords.

For anyone interested - I have personally downloaded a CD which can crack seven (simple) character passwords in less than 5 minutes which because of the flaw above means that 14 characters (a-z, 0-9) would take ten minutes. The longest part of the process is booting Linux and then reading the CD which adds another 5-10 minutes to the above depending upon your PC / CD drive.

The solutions to the XP password problem are threefold (see http://support.microsoft.com/kb/299656 , you may wish to start at number 3!:

1. Make a modification to XP (can't be done on earlier Windows) group security policy that at least stops the storage in the weak format.
2. Make changes to the registery - not recommended unless you are an IT professional and have backed up the system soon before
3. Use a password that is longer than 14 characters so that it is not stored in this weak format. This is by far the easiest, cheapest and lowest risk.

Note that if you share data on a network between your XP system and anything 'older' such as Windows98, ME, 2000 etc. then you must assume that will cease to be possible if it is reliant upon that password if you make any of the above changes - even the last!

Passwords for wireless routers - another problem - especially if not WPA secured

There are four serious flaws in routers that in combination are a nightmare.

1. So they can market their routers as 'easy to set-up' their makers give them:
   1. well-known login passwords (eg admin and password!) AND
   2. enable wireless with NONE!!! - open house / broadband!
2. Even if you use a Broadband provider that sets a network passwork (usually on a label on the box! check it now?), to avoid incompatibilities with old devices - by default! they (BT et. al.) often use an old security protocol called WEP which can now be 98% cracked within 2 minutes.
3. Many routers allow their user interface to be driven by scripts which are not the real end-user making a request but an attack from a web site that you may have been enticed to visit
4. Users of a router will be totally unaware of its compromised status or that it is under remote control and the fact that all of their web interactions may be being monitored and possibly also diverted!

As soon as they 'own' your router they can start to extract more and more information from you - both passively and then actively - the latter including what is referred to as 'Man in the middle' attacks which can potentially even get around SSL, HTTPS, Security Key Fobs - virtually everything!

See Wireless security WPA not WEP for more details.

Seriously insecure devices, protocols etc.

Please be aware that there are many 'things' which are even worse than routers and give a false impression of having some security that they simply don't have. For example it might need a specialist but being able to crack typical Bluetooth PIN numbers - 4 digits in less than a tenth of a second and 7 in less than a minute isn't even trying! So PLEASE DON'T use them anywhere else and rather obviously - not using the same as any PIN used with a credit card!

When to change a password - frequently or not?

Firstly a human point to make - never, ever change a password when you are not going to use it for at least 2-3 times soon afterwards - e.g. not before a holiday, evening out or even going to bed.

This depends upon whether you believe any attacker MIGHT have access to the encrypted form of the password or the unrestricted ability to try to guess the password a very, very large number of times. Examples are:

1. VERY BAD - anyone who has physical access to your PC for more than five minutes
2. BAD - leaving your router or PC's remote desktop open to remote management/control without a really strong password
3. GOOD - professional web sites which restrict the number, frequency and source of login attempts as well as storing passwords only in encrypted format with a 'dose of salt' (see above).

Web pages to help you crack passwords - TAKE A LOOK AT SOME!

The non-technical pages that I list at the top of this list are there to show you what the basic tools of the trade are - password dictionaries for example.

1. http://www.theargon.com/achilles/wordlists/all-words - a very, very simple list of passwords that can be tried automatically on many PC technologies and web sites that have a low grade of protection.

Other web pages that give advice and my comments about them

Only after I had crafted 90% of this page did I perfect the Google search terms that gave me some of these links - many of them are quite good but many lack rigour and/or knowledge. These are numbered just in case you send me feedback and wish to comment upon them or my own views:

1. http://www.schneier.com/essay-144.html - a good introduction to the topic which gives some statistics from a site used by the 'web generation' and real life examples of popular passwords.
2. http://www.1729.com/blog/WeakUserPasswords.html - only discusses web site security but very readable and sensible because the author thinks about the problem from end to end and the human aspects of both the attacker and the resource owner
3. http://www.microsoft.com/protect/yourself/password/create.mspx - this is pretty good but doesn't make any comments about XP and router passwords - they also get the length wrong for a good XP password! They do have a password checker that rates 'Z4bvrlBA' as Strong but also 'Z4bvrl2boc' the same - that is OK but to rate 'password1' and 'beckham99' as medium is ludicrously high. Only classifying '9ebgreNcT,A' as strong isn't correct in my mind either but then I tried 'password1ROVER' and that gave me a 'BEST' category so they obviously don't use dictionaries!
4. http://www.infoworld.com/article/06/07/21/30OPsecadvise_1.html - a good article but a bit biased towards the length of passwords being paramount. I agree with most of his assertions except that I think that combining the smallest amount of variety - e.g. just one upper case, one number and one punctuation character you can achieve a better effect that simply 'Size matters'. Personally I wouldn't want to key in 31 characters anyway!
5. http://blogs.ittoolbox.com/security/adventures/archives/password-strength-checking-15349 - this person is giving bad advice because simple character substitution is no defence and should not be regarded as strengthening passwords.
6. http://www.ccsn.edu/pages/1096.asp - some useful ideas and examples but not very rigorous
7. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci858747,00.html - mostly bad advice but some management attention is at least being paid to the problem. This is the first time I have seen a recommendation that words should be 3 or less characters long. The problem is that if that is a strategy for protection it can also be one for attack - try combinations and substitutions of multiple words that are all of that length or less.
8. http://www.ibm.com/developerworks/lotus/library/ls-password_quality/index.html - quite old but some rigour is welcome here.
9. http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/ - simplistic but has some examples. Recommendations are poor.
10. http://www.securitystats.com/tools/password.php - the checker is very poor - not objecting to password1 for instance. The Do's and Don'ts are pretty easy to read and understand.

This page © Business before Technology 2006 - see the respective sites of the owners for their copyright as well as terms and conditions

Notes to the above

Note *¹: MS IE has improved significantly in response to the onslaught of attacks but by default! they still allow far too much 'rich content' to execute on your PC. Active-X should simply be turned off in the Internet Zone for instance.

My advice: Better still - use Firefox which doesn't even support it! Firefox used to cause problems on some sites but now (2007) it is so popular that web sites have used more open, non-MS unique technologies. This is even better than crippling MS IE because web sites don't even TRY to use Active-X and so they don't "break" when you try to use them.

Note *²: Keeping passwords unique to a resource is important for two reasons:

• If passwords have something to make them unique to a site/resource you must make it harder for 'a machine' (i.e. a PC) to simply try the password that has just been acquired at every other site that you ever use. This would be particularly bad if you used the same user name at different sites or the attacker had access to your PC's list of web site history and form data.
• Passwords are often encrypted with the same algorithm. If any attacker can gain access to those encrypted passwords then they will very easily see which passwords are the same and they may then be able to choose a web site to attack based on which is known to have the weakest security.

A better approach than using an acronym of the site / resource that you are protecting could use a memorable (customer?) experience with that resource. For example instead of adding 'ba' for a British Airways site it could be the 2 bottles of champagne - i.e. '2boc' that a stewardess provided as a recognition of exceptional customer achievement in transatlantic business class. This is probably only worthwhile for level 3 and above.

My advice:

Note *³

You MAY even need to have more than one lowest level password because of moronic organisations which impose rules which contradict common sense and normality. Virgin Media for instance will not allow numbers in passwords that their call centre staff use as a ludicrous example - almost as bad as HSBC which insisted on numeric digits only! Choose your own (pass!) word to describe them (i.e. xxxxx below) when they confront you with that but at least prefix it with 'vm', (for Virgin Media) i.e. vmxxxxxxx ! Let's call that level 0! Unfortunately the challenge is remembering which companies are the ones that have stupid rules! so you may need to write down a list of those with your exceptions - see 'Writing down' above.

My advice:

Note *¹¹: There are some web sites in particular that attempt to avoid keyloggers by presenting a virtual keyboard or mouse-selectable choices. Sadly these sites often limit the characters that can be chosen to lower case alphabetic. Although it appears to conflict with advice on this page - these web sites are demonstrating their confidence (well-founded or not!) that their database and access to it by all means - physical/internal employees etc. as well as through to 'the web' is constrained and that they can easily withstand a brute force or even a dictionary attack because they would (hopefully!) stop any repetitive attempts to use a user name and/or! password or! from a specific source i.e. end-point and/or proxies on the Web.

My advice: Firstly you probably don't have a choice and secondly - if the institution DOES get compromised they will go bankrupt issuing customer refunds before they admit their problems! Use the 'sentence into letters' algorithm as described below.

Note *¹²: Several years ago there was a simple 'sentence into letters' algorithm suggested as being capable of fixing the whole problem of passwords. The basic idea is simple - to make a complex but memorable password you used a memorable sentence or (long) phrase of which you only used the first character of each word of the sentence.

The problem was that there were then lots of suggestions about what you should choose as a sentence - song lyrics, quotations etc. The reason this was flawed is that using very public and especially potentially popular phrases such as lyrics simply gave the hackers the source for another dictionary. So as well as (for instance) all the common words in the language the hackers simply add the dictionary of 'first characters from popular lyrics'

To avoid the dictionary attack you need a sentence that only you know - or one that is seriously obscure. Unless you happen to have a few examples of the latter you may need to create the former - this isn't too difficult AND you can make it very memorable by:

• Choosing something which is very personal or embarrassing
• Including visual imagery, humour or even sordid/sexual language/thoughts
• Replacing every generic word such as 'girlfriend' with the name of the person - otherwise there may be some food for a dictionary - you might not be the only person in the world who has had an experience with the sister of an ex-girlfriend (or wife!) for instance.

But beware:

1. Don't use these on lower zones as passwords may not even be encrypted
2. If you ever need to be able to tell someone the password (e.g. a shared bank account) then HAVE A BACKUP SENTENCE so that you don't have to tell the person what the REAL ONE IS!
3. ALWAYS ADD 2-3 characters of COMPLEXITY to what is a very good secret just in case the phrase coincides with another.

Links and other information last validated on 7th August 2007. Please use the Contact us page to suggest any additions or revisions.