A Brief Litany on Password Security


Sometimes we do or say some things that live on in the minds and hearts of others  in spite of our best efforts to eradicate them.  The number of times I’ve personally had to shove my foot in my mouth, eat humble pie, or wish for a Men In Black-style memory erasing flashlight are too numerous to count.  But I’ll share one in particular that still causes me to grimace like I’ve just eaten at Taco Bell.


This was back around 2002, and I was working in a Network Operating Center (NOC) for an Internet Service Provider (ISP) providing top tier remote network support for businessesA local tech school decided to partner with our company to peddle their technical wares on TV by creating an infomercial on cyber security.  The big day arrived, and there I was all decked out in a suit just for the occasion, ready for the cameras.  It was during one of the interviews that I uttered a line that still lives on in infamy – “There’s always going to be the bad guy, there’s always going to be people trying to get your stuff.  Get your data, get control of your network…”

I was all into it, my clean shaven face as zealous as any cult leader.  I even bobbed my head emphatically on the BAD GUY and the GET your STUFF lines.  Of course I made the cut and wound up on TV, and of course I got razzed incessantly about it.  But it is indeed true – there always will be the bad guy, and they will always be after your stuff.  What is your first line of defense in protecting your stuff?

A well-crafted password is your first line of defense against the bad guy

Why do viruses run rampant across computer systems?  Weak passwords.  Most Windows installations just boot right up into a desktop without any password at all.  Don’t act surprised when you get a virus that kicks you out of your own computer.  If you won’t set a good password, a hacker will gladly do so for you.

Referencing an excellent article by Sheep Slapper in the Spring 2011 edition of 2600 The Hacker Quarterly, the top password choice is “password”.  Based on his studies (and I shudder to think how he gathered this data), about 35% of all the passwords in use are 6 characters or less.  14% of all passwords are found directly in a dictionary.  So I’ll start with this:

  1. Any password that is six or less characters is candy for hackers
  2. Any password that is found in a dictionary is chocolate Newb Sauce on above-mentioned candy

Newb Sauce here is used as a derogatory term for someone with little technical skill.  You can’t figure out how to print?  Newb Sauce.


Some Fine Password Guidelines

Do not settle for a password that is less than eight characters, and can be found in a dictionary.  Don’t ever use any form of the word password, not even with special characters.  And don’t use an unmodified name of a pet, family member, or sports team as your password.  Using a dictionary hack attempt, such a password can be cracked in a remarkably short amount of time.

Every single password should contain at least one of each of the following:

  1. An uppercase letter
  2. A lowercase letter
  3. A number
  4. A Special character such as @ or $ or !

Do not use the same password for all your accounts.  If someone guesses one, they have guessed them all.

Password Examples

Weak Password: racheldare (all lowercase and it’s your name which equals fail)

Better Password: RachelDare (at least uses upper and lower case but still your name)

Stronger Password: R@che1D@rE (uses all four of the above though it’s still your name)

Note: Try running some of these in a Password Security tool to get an idea of their strength.

Weak Password: godislove (all lowercase, and in this case a hacker will love it too)

Better Password: GodIsLove (at least uses upper and lower case)

Stronger Password: John3:16 (uses all four of the above)

Weak Password: password (don’t even bother setting a password like this)

Still Weak Password: Password (oooh uppercase and lowercase but still Newb Sauce)

Still Weak Password: P@ssw0rd (look, don’t ever use a variation of password)

Weak Password: fishsticks (all lowercase, dictionary word)

Better Password: FishSticks (at least using upper and lower case but still a bad idea)

Strong Password: F1$h!Styx1973 (might as well go all Tommy Shaw on you with this one)

And hey – if you are going to find a good strong password and want to use it for different accounts, at least tweak it for each site you use it at.

Ebay password variation: F1$h!StyxEB

Gmail password variation: F1$h!StyxGM

Minecraft password variation: F1$h!B0Om3r

Computer password variation: F1$h!StyxPC

Look for Passwords on everything and change them

I was at a friend’s house a few days ago, and he was kind enough to provide his secure wireless key (which is, in essence, a password) so I could follow NFL scores on my iPad.  So naturally I took advantage of his hospitality by probing his entire network, and noticed that his Home Router was set up with the ever popular username / password combination of admin / admin.  I gave him a nice aneurysm by showing him how easy it was to hack into it.  And if I own (gain access to) your router, I can control your entire network.  Think of your router as the King in a chess game – if someone takes your King, it’s all over.  If it’s your stuff, lock it down.  Because there will always be the bad guy who is after your stuff.

OK so great – now I have a kajillion passwords and I forgot them all

keypassDownload a tool like the KeePass Password Safe and store all your passwords in that.  And if you’re going to do that, I’d recommend that you use a ridiculously long complex password just to get into the program, then use randomly generated passwords for all your other stuff.  KeePass can do that for you, and it makes things uber secure.  With a randomly generated password, hackers have to rely upon brute forcing which (depending on the length of the password) can take a very long time to crack.  I’ve personally done this and can testify to this.  Imagine trying aa, then ab, then ac, then ad, and so on until you get the password right?  A tool like LophtCrack will do this for you automatically, and can also use dictionary attacks to try and gain access.  But why make it easy for the bad guy?  They are always after your stuff.

OK so the nerds out there are lamenting that I was too easy on you with these tips and tricks.  But it’s a good start, and at the very least may get you thinking more about your security.  If I can accomplish that, I’ll consider this a successful post.

One thought on “A Brief Litany on Password Security

Share Your Thoughts

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.