I was recently asked what I thought a strong password is. My reply was rather long as I believe that passwords are more important than most people think. After all, a password is your first line of security. Please give me a break and do not use something easy to guess, like your child’s name, or your child’s name and year of birth. I have seen too many of these. Microsoft Windows Server 2003 has the default settings requiring a minimum of 8 characters with upper and lower case letters, with at least one number and / or special characters. You have probably had to use a password like this at work, school or any place you need to use passwords.

I ran across ‘how long it takes to break a password’ on the internet a while back. I thought it was cool so I copied and pasted it to my computer. I do not know where it came from originally, but here it is:

A good password today at a minimum of 8 characters, and can consist of any one of 95 keypresses on the keyboard. 95^8 = 6.6e15 combinations.
If you don’t use special characters, that 8 character password is only 62^8 = 2.2^14 combinations.
If you don’t use numbers, that 8 character password is only 52^8 = 5.3^13 combinations.
And If you don’t even bother to change cases, that 8 character password is 26^8 = 2.1e11 combinations.

Those numbers don’t tell the real story. Old Windows XP passwords could be cracked on average 2011 hardware at about 10 million (1e7) combinations / second. The “good” password above would be cracked in 21 years (max). No special characters would be cracked in 8 months. No numbers in 2 months. And single-case only in 6 hours.

But today we have GPU password cracking, and much better hardware. A Radeon 5770 could crack the “good password”, 8 characters long in a mere 28 hours. That was hardware from 2 years ago.

With that in mind, the real question is; what information are you protecting? If all you do with your computer is to check email and Facebook, then the 8 character password will be fine. If you do online banking and have tax returns on your computer, then you may want to consider a 12 or 15 character password with upper and lower case letters as well as numbers and special characters. When it comes to passwords, bigger is better, and using everything possible to create the password.

I started my IT career in the mortgage industry, so security is important to me. I not only use long passwords, but I also encrypt my sensitive data. (Look forward to another post about encryption later) If I am encrypting a folder or a partition, I would suggest a minimum of 20+ characters. When encrypting a system drive, I have been known to use 40+ or even 60+ characters for my passwords. But then I am a proud password freak.

I can hear you all now, because I have heard it before. But Ron, but Ron, how do you remember those long passwords? Use a passphrase or use short story. Mix it up by using text speak and misspelling words. Lets look at the passphrase, ‘to be or not to be’.

To – 2 or Two, tWo, twO, TWO or Too, tOo, toO, TOO or To, tO, To. There are even more combinations you can think of.
Be: B, b or Be, bE, be, BE
Or: Or, oR, OR, or – @r, @R
Not: Not, nOt, noT, NOt, nOT, NOT, not etc.
To: 2 or Two, tWo, twO, TWO or Too, tOo, toO, TOO or To, tO, To
Be: B, b or Be, bE, be, BE

As you can see, it will take you a while to break through this password even if you know what the password is. Let your imagination run wild. Here are some more ideas.

I can be: I or i or even 1 or !
A can be: A or a or even @
H can be: H or h or even #
O can be: O or o or even @
V can be: V or v or even ^
M can be: M or m or even ^^
N can be: N or n or even ^
At can be: At, aT, AT, at, or even @
And can be: And, aNd, anD, or even &
Star can be: Star, sTar, staR, or even *

I am sure you can think of many more combinations. The key to remembering the password is to use it regularly. If you do write it down, do not have it anywhere near where the computer is. A strong password is worthless if it is taped on the bottom of the keyboard or under the desktop calendar or blotter. It reminds me of a lot of lame movies and how easy it is for someone to find a password.

Another thing to keep in mind is that you should change your passwords regularly. Once you have found yourself a good strong password, and started to use it, it is time to start looking for another password to use. I always choose poor passwords when the server tells me it is time to change my password and I have not planned ahead. I am also more likely to forget a password that I came up with in less than a minute. The longer it takes you to create the password, the harder it will be to break the password.

Passwords are a very important part of personal security. How do you manage your passwords if you have a lot of sites that you log into on the internet. Do you use one password and change them monthly? Do you use different passwords and keep a ‘password’ list on your computer? (I can search ‘password’ on your computer and find your list, no matter how well you hide it.) Maybe you use a password safe like Keepass. I may have to follow up with another post talking about passwords on the internet.

Until then, be safe.

Ron