AUBURN — Quick, think of an important date.

Got one?

Well, if you do, it’s a lousy password.

So is the name of your dog — alive or dead — your favorite beverage or a cool catchword from your favorite movie; each one is easier for a computer hacker to get past then an automatic door at Walmart.

Dates, individual names or any word you can find in the dictionary typically make rotten passwords. Ditto to names of friends, pets, high school mascots or anything else you might have talked about on Facebook or Twitter.

When it comes to passwords, size matters. If you use anything less than 10 characters long, you’re fooling yourself, according to computer security experts.

“The worst thing people can do is think of a password as a word,” said Ashley Hayes, who teaches network security at Central Maine Community College.

“People need to move to something else, if it’s the first line of book or multiple words or phrases,” she said. “They just need to get away from the minimums that administrators used to allow — the eight-character standards — and start using longer phrases.”

There was a time when passwords made us feel secure. We’d type our secret code into our computer to get access to all of our best private goodies: pictures, videos, secret musings, messages from close friends and financial stuff.

They were simple codes for simpler times. Many people merely typed “PASSWORD” or its backward cousin “DROWSSAP” into the blank. Some used the name of the application they were using or the brand of the monitor sitting in front of them. Some even used their birth date.

Eventually, that stopped feeling secure. We started adding odd characters like &, # and @, mixing up spelling, fiddling with the case and replacing letters with numbers and symbols: “Password” became “9@$$w0Rd.”

“If it’s a trick you know, it’s a trick hackers have tried and figured out,” Hayes said.

Many modern password-cracking programs rely on a cryptographic process that uses complex algorithms to look for just those patterns and those substitutions to crack passwords. A computer program can crack a standard eight-character Windows password — with an average few billion possible patterns — in minutes.

“Many businesses still allow eight characters, mainly because it comes down to a matter of memory,” Hayes said.

Longer passwords are safer. Any password longer than 15 characters should be safe for just about any purpose for now — as long as you can remember it.

That’s the rub: The more complex and random a good password is, the more likely we are to fall back on some other method to remember it. We’ll plug it into a database, create a memory aid or mnemonic or — Heaven forfend! — write it down someplace we think is secret.

“As an administrator you can come up with great policy: 12 characters, symbols and numbers and this that or the other,” Hayes said. “Your users come up with this random thing that works to log in, but then they write it on a sticky note and put it under their keyboard or on their monitor.”

There is no perfect answer at this point in our technology. It’s a balance between security and convenience. So how do we cope?

We asked our readers and folks around the newsroom what they do.

One SJ writer said he keeps a faded notebook hidden in a corner of his home office and it contains every convoluted unbreakable password he’s used in the last decade.

Most combine methods, using a name of a family pet, the date they met the love of their life, the license plate on their car and a random word.

Some have more convoluted processes: After the person has memorized a song, saying or movie quote, the first letter of each word becomes a character in the password. Sprinkle generously with symbols and numbers and it generates a nonsensical series of characters that can be called to mind just by humming the tune or recalling the movie.

And some rely on machine-generated passwords, like those created by the mobile app Lastpass or web services Roboform or strongpasswordgenerator.com. Those tend to be the most complex and hardest to crack, but also the hardest to remember.

One suggestion from Hayes: “What you want to do is take a sentence, remove the spaces and change the spelling. Anything you can do to make the password longer is going to make it harder to break.”

Conversely, “Anything you can do to make it shorter or easier to remember makes it less secure,” she added. “It’s just the way it goes.”

Reader Chris Blake of Auburn said he relies on the method popularized by webcomic XKCD. Take four random words out of the dictionary, arrange them into a phrase and create a word picture in your head to help remember it. The result is a complex password with a minimum of 16 characters that’s relatively easy to remember.

But Blake said his personal computer security routine uses a cascading strategy, with stronger passwords guarding the most important information.

Basic websites with no personal or financial get a simple, basic password. Online gaming sites and E-commerce sites like Amazon have stronger, unique passwords. And his bank is protected by the toughest code it lets him use.

“And I don’t save bank card info there unless I know I’ll be making several purchases over a short span,” Blake wrote in an email. “After that, I delete the card info.”

That’s a good idea, too, according to Hayes.

“You always go back to: Don’t tell people where your passwords are,” Hayes said. “Even at home, don’t make them too easy to find. Be careful what you share and where you share them. Just be careful.”

BETTERGETANEWPASSWORD

These passwords were cracked using readily available cryptographic software. The time it took to break them is listed below each.

 

Copy the Story Link