Why you really, really should use stronger passwords

This blog post was created from a conversation we had with one of our clients since they sent us this link with a subject line of "interesting?" Advice From A Real Hacker which is worth reading first.

There are many thoughts on this. The suggestion is that we as IT companies should stop forcing password changes so often. Users simply make every new password simpler than the last which is counter productive. Don’t forget, Password1 is a 9 character password containing uppercase, lowercase and numbers!

It has been suggested that we enforce a policy of not using dictionary words, this is not a good argument in reality. It forces passwords to get shorted and shorted, as jumbled characters are hard to remember. How about a (misquoted!!) phrase: ItWasTheWorstOfTimesItWasTheBestOfTimes No matter how many dictionary lists you are using, you will still have to run them all 12*12 times to spot a 12 word phrase.

If “it doesn't take me very long to test every … word combination in the dictionary” then use a word combination that is not in the dictionary, or indeed in any book anywhere...

Where passwords are concerned we will allow:

Never Use Just Numbers

Use All of the Allowable Character Types

Please note he suggests using munging, even tho Wikipedia has a munging lookup table: Munging

Our conclusion? A few steps:

Step 1: Use the same password on all the sites you don’t care about. The forum you registered on just to say “lol” on a post? Pasword1. The site you had to register on to download some shareware? Password1. The city council site you have to register on to receive SMS alert about your dustbins? Password1. Who cares if they get cracked, and it makes your life easier.

Step 2: Use a password manager. For the (few) sites that you actually care about, generate a unique, strong (20 random characters, with all of the Allowable Character Types) password. You will need a password manager, as there is no way you can remember one of these, let alone a few of them for important sites. I define important as “I could lose money if this was hacked”. That loss can take place via simple theft (i.e PayPal) or via complicated ID fraud (i.e. UK Govt. Website). I like KeePass, and LastPass is a strong offering too. They will generate the password, store it encrypted, and when you need it auto fill it onto the web page. Now, you only have to remember 1 password. How about:

“ASingleManInPossessionOfAGoodFortuneMustBeInWantOfAPasswordManager”

(with apologies to Jane Austen).