Power Passwords
Ten years ago, I did some research on passwords and found that the most commonly used password was “password.” I recently read an article in PC Magazine that noted “password” is still the most common password.
The author of that article commented that if you used any of the most popular passwords (e.g., your name, “123456” or “qwerty”), you might as well hand your computer over to the nearest thief.
Most people, including lawyers, do a terrible job of creating passwords. Passwords truly are the weakest link in your security chain. Today, you want to use strong passwords, consisting of combinations of seven letters (ideally some in uppercase and some in lowercase), numbers and symbols. Anything else is generally considered a weak password.
Creating and using strong passwords, however, is easier said than done. A welcome trend is that some Web sites tell you the strength of your password when you create it.
A TRADE-OFF
Security always involves a trade-off between protection and user convenience. Nothing could be more convenient than having no password, but having no password provides no protection. At the other extreme, you have high protection, but access becomes highly inconvenient (think of the classic Saturday morning cartoon scene of locking the door and throwing away the key). Having good security and good passwords requires reaching a reasonable balance between protection and convenience.
Strong passwords raise three other issues:
An excellent strong password—x#56JW7*d—is by its very nature hard to remember.
Using one password for all your accounts gives anyone who gets the password the keys to your kingdom.
If you use different strong passwords every time you need a password, you will never remember them all.
Of course, you could write your passwords down, but a Post-it note with your strong password stuck to your computer monitor defeats the purpose of having a password in the first place.
To add to the complications, the bad guys now use “brute force” password-cracking tools based on dictionaries and common passwords. Words, names, team nicknames and the like are easy to break.
So you need to develop some sound password practices based on a few simple strategies. Here are three approaches you might consider.
Weed out your weak passwords: If you are using any commonly used passwords, change them now. Try to get rid of words and names in passwords, including names of children, pets and sports teams.
Develop a system for creating “memorable” strong passwords: I have always liked the idea of a “base plus” system of creating passwords. You simply create a standard root password, then change the suffix to help you create new, unique, but memorable passwords. If your “root” password was b5#JMS, your password for the New York Times Web site might become b5#JMS_nyt. It’s a strong password that would be difficult to break, but easy for you to remember. If you have to change a password on a monthly or quarterly basis, you can add a rolling number to the end of the root—b5#JMS/03, b5#JMS/04, etc.
Turn “pass phrases” into strong passwords: Some recommend using a sentence or phrase as a password. For example, “I_love_the_ABA_Journal.” This approach, especially if you add a number, gets you to a strong password, but it contains recognizable words that could be subject to a dictionary cracker. Or a character limit on passwords might block its use. I like turning a pass phrase into a base password by using the first letters of your phrase, and then adding symbols and numbers. The pass phrase would then be something like “iltABAJ!2007.”
With a little effort, you can develop a simple, effective system to create strong passwords that will improve security and be easy to remember and use. If you use poor password practices or weak passwords, you put your whole network at risk. Today is a very good day to think about your passwords and your password strategies. Let’s be careful out there.
Dennis Kennedy is a St. Louis-based computer lawyer and legal technology consultant. His Web site, DennisKennedy.com, is the home of his blog. Contact him at [email protected].