The SANS Institute has, for some years, put out a newsletter called OUCH! which it describes as a “free security awareness newsletter designed for the common computer user.” The May issue, edited by Eric Cole, is devoted to “Protecting Your Passwords,” and includes some excellent advice.
Meanwhile, my colleague Paul Laudanski has blogged comprehensively on the closely related topic of using password management software: No chocolates for my passwords please!
Paul's article does refer to some work on passwording that Randy and I have published in the past, but I'll list a few items anyway:
- Most of our blogs (and those of other ESET bloggers) on the topic should be accessible here or here.
- An article for Securing Our eCity based on a more technical FAQ that I need to dig out and bring up-to-date deals with choosing passwords
- And here's a lengthier white paper by Randy and myself that covers quite a few password/authentication issues: Keeping Secrets: Good Password Practice
A couple of comments that have been made recently in response to these that bear repeating:
- If you use a password manager program, you certainly need to be sure that you have some kind of backup of your password file and/or your protected data, in case of some kind of failure to the primary program or the system on which it's held. (Hat tip to Dave Montgomery.)
- Passphrases rule. Passwords drool. (Hat tip to Dave Marcus.)
Paul's article looks at the generation of random strings, and intelligent use of passphrases rather than passwords as an additional way of increasing entropy: While entropy is not exactly synonymous with randomness, the unpredictability of a passphrase is a measure of its strength, and a long, random phrase that includes a wide range of symbols is, by definition, more difficult to guess by orders of magnitude than a single six-letter word or a four-digit PIN. However, entropy is not the only factor. Choosing a password is a compromise between the highest possible entropy and the influence of limiting factors, such as password/phrase length and the range of symbols available, such as:
- Numbers only
- English alphabetical characters only
- Alphanumeric symbols
- Alphanumeric symbols with special characters (spaces, punctuation and so on)
- Extended ASCII character set
Which reminds me that Nora Lucke, with whom I worked many years ago in the IT unit at a medical research organization, suggested to me a while ago a strategy that worked quite well for her customers in an academic context where choosing a password was severely constrained by system requirements. She described it as follows (I've paraphrased and expanded here and there):
It depends on using an address - any address OTHER than one's own current address. It goes like this:
- Write down the address, in mixed case, with no spaces
- Cross out all the vowels
- Count the first 8 characters [Assuming a system that requires the use of an eight-character password].
For example, 147 Long Hill comes out as 147LngHl.
This gives a pseudo-random password which is simple to use and remember, and using an aide-memoire such as “Bob's last-but-one address” or “Flo's old house” is of no use to anyone who doesn't know a great deal about you, especially if you don't leave it somewhere tagged with some giveaway phrase like “my password for BoA.” You can boost the entropy by using some of the interleaving, interposing and/or substitution tricks described in “Keeping Secrets,” of course, though if you're going to use this so as to use different passwords in different contexts (recommended!), you need to ensure that you use a consistent algorithm. And, of course, addresses are a convenient “seed” since they normally include numbers, but there are obviously other possibilities other than an address-book cipher.
My apologies: that last clause is almost too esoteric a play on words even for me... It does lead me to think that such algorithms could be a good starting point for describing more complex encryption techniques. However, this is as close to crypto-geek as I plan to get in this particular article.