A few days ago it was again that day of the month when, at start-up, the laptop provided by the company I work for generated that hated message: “Your password will expire in 14 days. Do you want to change it now?” We get this on a monthly basis and even if you can defer it for 14 days, it is annoying to know the laptop will continue beeping at start-up each time you turn it on. So I went to see one of our IT guys, to ask him for an explanation on why we have to do this every so often. So he lectured me quite thoroughly about the password security concept.

Specifically because passwords are so much present in everyday life, they tend to be disregarded by the general public. You need so many of them for different purposes and yet you do not hear very often about security breaches due to weak passwords. Just imagine: the regular urban white collar individual might need quite a few passwords for his work computer account, for his online bank account, for his personal e-mail account (some people have two or more e-mail addresses), the pin for the mobile phone, the pin for the credit card, the access code for the building he lives in etc. Some of these passwords are only working in tandem with usernames, which, although not regarded as secret information, still need to be remembered by their owner.

So just by being a constant presence in our lives passwords become neglected, short, identical, written down etc., rendering them weak and thus creating vulnerabilities which could be exploited by … exploiters.

The theory behind secure password creation is not simple, but it is not really spectacular for the average user. Concepts from the information theory are used to measure the strength of a password, specifically the entropy, or bit strength. But what it boils down to is really to use passwords as long as possible, as random “as possible” and to follow a few common sense rules of storing the password.

How to avoid weak passwords
A few basic rules should be followed in order to create strong passwords:

1. Make the password as long as possible (a password longer than 10 characters is generally considered a strong one, but the longer, the better).

2. Mix various symbols in your password (upper and lower case letters, numbers, symbols).

3. Do not use words from the dictionary, which are susceptible to dictionary list attacks.

4. Do not use people, places or pet’s names.

5. Do not use personal information like birthday dates, marriage date, anniversaries etc.

How to create a secure password
Creating a password that is simultaneously secure and easy to memorize can prove to be enough of a challenge. The best way currently available for the average users is to use pass phrases instead of passwords. Unfortunately, many password-protected accounts do not allow space characters to be used in the passwords, so a good way of combining the pass phrase into a single word is to use the initials of each word in the phrase.
We’ll work on an example; let’s take for instance the easy to remember phrase:

“A full year has three hundred and sixty five days.”

The resulting password, based on the first letter would be: afyhthasfd
Mixing upper and lower case letters is always a good idea, so your convention could be that the first and last letter of the password could be upper case. The above example would become: AfyhthasfD.
Changing some of the characters to special symbols can only make the password stronger so you can replace the “s” with a “$”, or instead of using the first letter for the words expressing numerals, you may replace them with actual numbers. To get better protection, in the case presented here you should use both type of replacements, for instance replace the “sixty” with “$”, the “three” with a “3” and the “five” with a “5”.

At the end of this process, we end up with a pretty strong password, which adheres to the rules recommended above and which looks like: Afyh3ha$5D

Apart from offering good protection, it also has the benefit of being relatively easy to remember. And once you have used it a few good times, you will also be able to type it as fast as you would type “password” (which is actually one of the most common passwords in use and is thus one of the weakest possible passwords, despite its length).

Please note that the example above is just that: just an example! The resulted password should be considered compromised because it appears in an online article and should be never used as a valid password.

Other advice for passwords
As mentioned in the introduction paragraph, it is generally the case that you need more than one password protected accounts. You should never use the same password for several accounts. Take the trouble of generating and remembering several ones, as cracking one account will invariably mean the cracking of all your accounts.

Again, it is not a good idea to write down you passwords. Both writing them on paper or in a file on a PC is a serious breach of security. Sophisticated servers have been created in order to answer the most demanding security data transfers, but up to this date, the first protection measure taken by data administrators is to lock the servers in the server room. Those who do not do it should do it. And it is the same with passwords. No matter how complicated it is, in case it is written down it is as easy for a wrong intended man to read it, as it would be for you. Not writing down the password also involves also not sending it in any written form through e-mail or SMS or any other communication method. Many of the communication channels we use in everyday life activities are not really encrypted (for instance, yahoo messenger). Of course, a common sense advice is never to tell your password to anybody else. Not even to your girlfriend.

There are some password management solutions out there, which can store all your passwords in an encrypted form on the hard drive. I would strongly advise against using them. They sometimes allow access to the list of passwords based on a master password, but this simply makes all of your data available when a single password is cracked.

All these advices are directed to creating, remembering and storing one (or several) secure password(s). If everything fails and your account does get hacked try to minimize your losses by all the possible means, which really depend on what kind of personal or sensitive information you store in your account. Of course, going through the topic of secure passwords, I ran across some data administrators’ opinions stating that asking your users to frequently change their passwords does not really yield good results. First of all, this makes them prone to choosing weaker passwords, rather than going through all the process of generating and memorizing a stronger one. And at the end of the day, if you have already picked a secure and long password, there is little point in changing it…