Skip to content


Anatomy of a Good Password

Most information security professionals agree that passwords, in order to be effective, need to be complex and use at least three of the following: uppercase letters, lowercase letters, numbers, and special characters (i.e., !, $, ), ?, etc.). There is, however, strong disagreement about usability. For example, many will argue that Z9!*pQZ7Rn! is a good password. Not in my book! In order to be effective, a password has to be both strong and memorable. Aside from being terribly hard to type, the only thing memorable about Z9!*pQZ7Rn! is that it’s nearly impossible to remember. Passphrases, but not common ones like America’sTeam can be quite effective. Redskin fans may be inclined to use HailToTheRedskins, but instead should modify it to something like rail,2theHEADskins. You should be able to make your own quirky passphrases that cannot be guessed or easily cracked by password-breaking software attacks. Anybody who knows you should know the names of family members and pets, so they fail the first criterion. For Windows log ons, any password under eight characters can be easily broken, as can most under fifteen characters. Wireless network encryption keys should be at least twenty-eight, to be effective. In most cases, the key only needs to be typed once, so such a long key is not usually a big problem. On the flip side, asking paying customers in a coffee shop to type a twenty-eight character encryption key would be a risky business proposition!

It’s important to consider just what you are protecting with your passwords. For most people, your password to a newspaper web site is not that important, unless they have your credit card number, or other confidential or proprietary information; however, if you have a high profile, you certainly do not want people making unauthorized comments in your name. Bank and brokerage accounts are intuitively obvious, but email accounts are also very important. For example, once someone has access to your email, that person can attempt to log in to any online account and click the Forgot Password link. Many sites will email the password or a password reset link. It gets quite ugly from there!

Lastly, consider physical security. If you are in a location with access by those who should not have your passwords, do not have your passwords written down. Likewise, do not let your web browser manage passwords for any accounts that you need to protect. There are many robust password safes that require a master password to access. Norton’s Identity Safe is one such product.

Please remember — it’s your privacy. Do what you can to protect it.

Posted in Information Security, Privacy, Technology.

Tagged with , .