You might be aware that several high profile Twitter accounts belonging to people like President Elect Barack Obama, Britney Spears and Fox news being compromised had been compromised recently. This came to notice when tweets like the following began to appear.
This had been attributed to a phishing email initially but Wired.com provides a detailed account of how the hacker named GMZ was able to gain access to Twitter internal tools and compromise some big profile accounts. He was able to run a dictionary attack on a random Twitter user’s account who happened to have access to Twitter internals.
While this may sound like too much of a co incidence, it re iterates the number 1 rule of a strong password: NEVER USE A WORD THAT CAN BE FOUND IN A DICTIONARY AS YOUR PASSWORD. The account that was compromised had a pretty weak password: ‘happiness’ which is very easy to guess, let alone brute force.
Learning from this and the worst passwords of all times, you can easily create strong passwords.
That said, I know many people who just shrink back at the thought of remembering strong passwords and would rather use their dog’s name, often giving arguments like “Why would anyone want to hack into my account?”. Well apart from the fact that your account can be used in n number of ways against you, you should also realize that many people make a living out of getting personal data and their are plenty of buyers of such information. While in the Twitter case, you can argue why Twitter didn’t have an unsuccessful log ins limit, it goes to show that you have to be responsible not only for yourself but for others too (Think Social Networks). Moreover a well constructed password is not at all difficult to remember and yet secure.
Here are some tips you should follow to generate and use strong passwords:
Don’t use dictionary words
It’s a crime if you do so. And for that matter don’t even use combination of words like ‘prankfox’ or something similar formed by combination of two separate words. While more secure than a single word, these are not going to trouble a well written hacking tool.
Don’t attribute the password to yourself or your near/dear ones directly
This means you cannot use your Car chassis number (although pretty good, but better avoid), model number, your girlfriend’s name, your father’s name or birthplace as your password. While these may not feature in most dictionaries, these are some of the common attempts of a Social Engineer. Besides, you won’t want your seemingly friendly colleague who knows great deal about your life, having access to your accounts. Do you?
Don’t use repetition or sequences
This means you cannot use ‘abcdzyxw’ or ‘ggggggg3333’. Although these are not directly from the dictionary and might seem pretty secure but modern password crackers are good enough to take such things into account! The sequences also include consecutive keys on a keyboard. That is you should not use ‘asdfuiop’ or similar passwords that are easy to guess based on the keyboard layout. You can’t even imagine how easy it is for a casual person (let alone an adept shoulder surfer) looking over your shoulder to get your password if you violate this rule.
Those where the big DON’Ts. Now moving on to the DO’s:
Mix Upper case and Lower Case letters
I cannot emphasize this point enough. You know that the passwords are case sensitive, meaning that ‘happiness’ is different from ‘Happiness’ which is different from ‘HaPpINEsS’ when used as passwords. Just think about it, even if you are using ‘happiness’ as your password but you mix lowercase and uppercase letters and use something like ‘HAPpiNesS’ then a typical dictionary attack will not be able to figure out your password, unless it tries every possible combination for every possible letter in the word, for all the words in the dictionary, which would take months if not years.
Add in some numbers and special characters
We just say how mixing uppercase and lowercase letters makes your password difficult to crack. If you add some numbers and special characters (like %,#,_,; etc) in your password, you would not only avoid a majority of dictionary files but also increase the number of computations required to get a successful match
Use sufficiently long passwords
Use relatively large passwords. Most web applications fix a minimum length of 6 characters these days, but even when choosing passwords elsewhere you must not drop below this length. The longer the passwords the difficult it is to guess, unless it violates one of the above rules. Long passwords are also difficult to remember so you should figure out a nice length that is not too small and not difficult for you to remember at the same time.
Some Strategies for strong yet easy to remember passwords
- Start with a sentence. Say: “I had a BMW as my second car”
- Take first letter of each word ‘IhaBamsc’
- Password is already pretty strong, now reverse it ‘csmaBahI’
- Introduce some numbers. You can use 2 with s of second as ‘c2smaBahI’
- Make the password, easy to pronounce let’s say ‘c2EsmaBahIn’ i.e c2 – esma – bahin (makes no sense but can help you remember the password if you can pronounce it easily in your mind)
- Add a special character or two if you desire ‘c2Esma_BahIn’.
There you have it a pretty strong 12 character password originating from the second car you owned! Yes, indeed you should be using passwords like the one above. This is just one of the methods. The key is to devise your own method if you can and stick to it. It will be truly unique and most secure.
Passwords are important, really very important, sometimes I think there is too much depending on a password. For instance just imagine if someone had the password to your Google account? There is so much depending on that one password, use your imagination!
Stay tuned for part 2 of the post where we will have look on some tools you can use to create and manage passwords.
You can get notified automatically when it’s out by subscribing to the RSS feed.