False Perception of IT Security: Passwords

Welcome to the second post in a series of blog posts regarding the false perception of IT- security. In this post we will describe some of the issues associated with

Welcome to the second post in a series of blog posts regarding the false perception of IT- security. In this post we will describe some of the issues associated with password management. As you know it is quite important to have a strong password, but what is a strong password?

When asking random people about passwords, they always agree that having a strong password is very important, but it is also very difficult to remember all these passwords. I get the feeling that instead of trying to come up with a good solution we simply give up and use that as an excuse to have a poor password policy.

One problem is that we don’t even know what a strong password is. A lot of people think that a strong password is a complex string, with random letters, numbers and special characters. But when looking at it from a security perspective, rather than from a cryptographic perspective, a strong password does not have to be completely random, and therefore super-difficult to remember.

I am expecting a lot of password maniacs to holler at me now, but please remember that this blog post is not about describing the most complex and secure password algorithm out there, but to simply give some good tips and tricks for how individuals can stop using crappy passwords or using the same password on every single site where they need to authenticate.

You can of course use a password management tool such as Kaspersky Password Manager, but this post will hopefully teach you simple password management without using any tools.

So, let’s take a look at how we can generate a strong password. First of all, I think that the most important thing to consider when creating a strong password is to make it personal. I agree that trying to remember a computer-generated password with random letters, numbers and special characters is difficult to remember. But if it’s a phrase that is personal to you, it will probably be much easier to remember.

There are tons of different methods for generating passwords, but I would like to share one way with you. It’s probably have been described by others before, but I would like to call it the “Story Algorithm”. There are a lot of variants on this one, so feel free to come up with your own variant that you think best helps you.

  1. Think about a phrase, lyrics from a song, quotes from a movie or simply a lullaby from when you were a child.
  2. Take the first letter from the five first words.
  3. Between every letter add a special character.

At this stage you will have created a static string, and from now on you will base all your unique passwords on this string. But since it’s a static sting it won’t be unique for every site that you need a password for. What you need to do now is to use the power of association.

When you think of Facebook, Twitter, eBay, dating sites, online gaming sites or any other site, write down the first word you associate with the site you need a password for. For example, you are creating a password for Facebook you might associate Facebook with the blue color in the logo: so then you can simply append the world “blue”, but maybe in capitals, after your static string.

ComStar

Let’s play with the idea that the phrase I think of is “Twinkle Twinkle Little Star How I Wonder What You Are”, and the special character I want to use is the hash character ‘#’. Then my password for Facebook would be something like: T#T#L#S#Hblue. It makes no real sense when you look at it, or if someone gave it to you. But since its personal, you understand the system used to generate any of your passwords; and since you associate the word with the site, it’s also easy for you to remember any of them. And it is quite strong — you can test it with our Password Check.

There is one password that you should be extra careful about, and maybe you should even use a completely different phrase when generating this password. This is the password to your email account. If someone can access your email, they can also use the “forgot login” function and not only get access to your email, but also change password for every site you have access to that’s connected to that email address.

Please remember to use strong passwords. It is only a bad excuse not to do it, and it’s a false perception that password management is difficult. Just remember these golden rules:

  • The length is very important to create secure passwords!
  • The uniqueness is very important! One password per site!
  • Complexity is not how random the password is, but how difficult it is to crack!
  • Make the password personal, it’s MUCH easier to remember that way!
Tips