Passwords, and why the heck are they so important?

Everyone has passwords, some have only a few, and some of us have bunches of them. In some cases, literally hundreds or thousands to manage, and let me tell you it’s a pain in the rear. However, password management is not the main thing this article is about, although it pertains to the subject. No, what I want to talk about today is the area of good passwords, strong passwords, passwords that will defend your server and shun any attack by the bad guys that try to get in while you are away playing Quidditch. I have seen lots of passwords in my day, and let me tell you that there are lots of servers that could be compromised using either “ncc1701″ or “corona”.

Assuming you secure your server, have firewalls and all of the normal items in place to defend your network, passwords can be thought of as the last line of defense. Network security remember, should be applied in layers, not just a firewall or just good passwords, but layers of good measures to protect your data.

When it comes to passwords though, they need to be long, complex and unreadable. Yes, it’s true, stop whining. When thinking of that great password you will use for your uber secret admin account, don’t pick something that is a known word or phrase, like “yellowstone” for example. You might look at that and think it’s 11 characters, it’s a dandy of a password. You’d be wrong. First, it’s a common word or phrase, next it has no numbers or special characters in it. Ok, you say, let me trump up some of those vowels with numbers and special characters then, how about “y#ll0wst0n#”? Well, even though that is better than the first, a cracker performing a brute force attack would be through that password in about 3 seconds.

You see, they already have algorithms that swap special characters for vowels, and the like. If it’s a known word, or phrase, or combination of words, they’ll figure it out. The same with numbers. Any all number password, regardless of how long it is, is doomed to being cracked. It comes down to a matter of time, based on how fast the crackers computers are; and nowadays we are probably talking minutes at most.

So, you know you need a password that is at least 10 characters long, 14 to 16 is better, and it can’t be a number or a readily readable word. Well, how the hell am I supposed to remember that then, you say? Glad you asked my friend! One answer is that you don’t try to remember them all, there is a great tool called PasswordSafe, it’s free and open source, that keeps all of your passwords in an encrypted database. You only have to remember the key to get into the database, and can then simply store your passwords in there.

Another thing that I do, is to generate passwords randomly, especially if I am going to put it into my PasswordSafe database. However, if it’s one I will have to use or remember, I have a cool technique for creating passwords, and I am going to share it here. What I do is use song lyrics, although you can use lines from a movie if you want, or basically anything resembling that kind of dialog, that you can remember. For this exercise, I will use a line from a Spin Doctors favorite “Margarita”.

What you do, is start by taking the first letter from each word in the verse you chose (or movie dialog, or whatever). In this case, the part of the chorus I want to use is:

I’ll take the salt from my wounds, and put it in my margarita.

Using this verse, the start of my new password would look like:

ittsfmwapiimm

Already we have a long, non-readable and easy to remember password. However, if we now employ some vowel switching and number/special character placing, plus upper case, we can make one that is ultra hard to crack. What if I came up with something like this:

Ittsfmw@p11MM5

Now we are talking. That would be a pretty tough password to crack, plus it is much easier to remember than a randomly generated password. Let’s compare to one I generated randomly:

,pN]RyX1E~H

That one would be tough to crack, that’s for sure, but you’d not have an easy time trying to remember it. Like I said, if all I am going to so is stick the password in the database, and I know I am not going to be trying remember it or type it in (you know, I can cut and paste), I’ll generate them. It’s much quicker than trying to come up with them on your own, especially if you have a lot to do, which I sometimes do.

However, in other cases where I might know I want to remember it, or at the least will be typing it in, I’ll create one manually like the way I showed you above.

So now you know, store any passwords that you have to in a secure place. Yellow stickies on the monitor are not the place! Plus, use long, complex and hard to read passwords, not common words or phrases. Be sure to not use the same password over and over with multiple accounts too, that way, if someone did get your password somehow, they can’t get into everything still, just that one account. I hope this clears up some of the importance of passwords, and especially good passwords!