Since we can access many of our belongings - from email accounts to bank accounts - online, it is important to have strong passwords.
When setting a password, two conditions should be satisfied:
1. the password for each account should be hard to guess, and
2. the password for each account should be different.
Condition 1 is obvious. A lock is useful only if it is hard to pick. A human being may try to break the password by using common personal information such as a family member's name. A computer can search through a dictionary of words and strings such as '123' that are commonly used in passwords (for example, see http://www.foxnews.com/scitech/2010/01/26/common-internet-passwords/).
Condition 2 says that you should not use the same key for all your locks, even if the key itself is secure (i.e. the password is hard to guess). If one account is compromised, for example an email account, then your bank account with the same password also becomes vulnerable.
The challenge with setting good passwords is that most people (including me) find it hard to remember many different passwords. To get around the problem, a person can design a simple rule to set multiple passwords. In order to meet both conditions above, the password creation rule must use two elements: 1. A personal key, and 2. A key that is unique to the account name.
For example, I am Arnab and I want to set a password for my Yahoo account. I could use a password 'ArnabYahoo', except that it would be predictable. But if I used a personal key 'alaihy' (which I can remember easily because it uses the first letters of the song "As Long As I Have You"), and replaced each letter of Yahoo with the next letter to obtain 'zbipp', and created a password by alternating the letters of the two keys to obtain 'azlbaiiphpy', then the password would be hard for a stranger or a computer to guess. The password for Google would similarly be 'ahlpapihhmyf'.
The above is just an illustrative example. There can be infinite variety in the ways in which a person can choose personal and account-specific keys and combine both. Depending on your appetite for complexity and your need for security, you can design a simpler or harder rule.
The vulnerability of the above approach is that if someone knew passwords from a number of your accounts, then the person could potentially uncover the rule you are using to design passwords. But the effort required to collect multiple passwords and uncover your rule is significantly higher than guessing/discovering one simple password.
Subscribe to:
Post Comments (Atom)
3 comments:
Mentioning the use of special characters would be relevant here. typically the brute force crackers use 26+26 characters to generate random permutations. Inclusion of special characters would increase the set of characters multifold.
Quite informative blog post, though.
Agreed that the use of special characters increases the size of the search space significantly. I use them myself.
Then again, this post is not intended as a guideline to design unbreakable passwords. The problem I see is that too many people are daunted by passwords, and end up using something totally lame or reusing the same password everywhere. If we could just get them all to use different length-10 passwords on each website, even with just 26+26+10 (uppercase+lowercase letters+digits), a hacker would have a search space of 62^10~=10^18 to rummage through.
Post a Comment