More on Passwords

Passwords are your keys to your digital kingdom. These are what allow you access while others are denied. The advent of the computer and the Internet has meant that many of us are called on to regularly create and assign passwords. Passwords that allow access to documents that we want to keep away from prying eyes, financial records, business plans and so on. We are also in a position on having to create and remember passwords that will allow us entry to various parts of the online world, such as our account details at various online retailers, banks and email lists. It is usually taken for granted that we are good and creating effective passwords and even better at remembering them all. While some are good at this, most aren't and give the passwords that they choose and use little though that is until some thing goes wrong.

TIP: Identity theft is on the increase. Victims of this crime stand to lose an awful lot. If you don't currently make use of passwords to secure data on you computer, you might want to reconsider a computer contains a lot of personal information about you and your dealings. By not securing it you are making it easier for criminals and fraudsters to target you.

Why use passwords?

Chances are, you are surrounded by passwords, PIN codes and security devices. On your PC or PDA you might have a password to allow you to switch it on, a password to log you onto your networks, another to log you onto the Internet, various passwords for accessing email and certain websites and passwords protecting files that you want kept away from prying eyes. Without passwords we'd all rely on trust that others wouldn't access out files or use resources that we paid for. 

TIP: Do a quick tally of the passwords/PIN codes that you have. It's more than likely that you won't remember all of them but if you can come up with between 10 and 20 that makes you about average.

The root of bad passwords

I believe that if there is one creation that has influenced our thinking and encouraged lax passwords it is the PIN code. That 4-digit number you type in at ATMs when you want to withdraw cash or check a balance. The thinking is that if 4-digits if enough to protect your money, then why do we need anything more complex than that on the Internet.
The difference between an ATM pin code and a password to protect access to your account details at an online store is the fact that an ATM machine employs other security features that might not be instantly obvious. The first of these is the card you insert into the machine. Without this you never get to the point where you can start typing in the PIN. The card is a security device. You have to have the card, and it has to be valid and functional (that is, the magnetic strip must be undamaged). Once you've inserted the card into the machine you can enter your PIN. A 4-digit PIN means that your PIN code will fall between 0000 and 9999, that's 10,000 possible PIN codes for each card. So by typing in a random 4-digit PIN code into an ATM someone would have a 1 in 10,000 chance of getting the PIN code right. The developers of ATM machines, realizing that when dealing with humans you have to make allowances that they might make mistakes when entering a PIN, also decided that you should have three chances to enter in the correct PIN code before either spitting out your card or swallowing it permanently. The system is geared in such a way that it is user-friendly to you but someone trying to fraudulently make use of a lost or stolen bank card has only 3 chances in 10,000 to get it right 1 in 3,333. The ATM system works well and offers people who use the system good levels of protection. This is because it relies on something that the person has (the card) and something the person remembers to go with it (the PIN code).

However, this system has conditioned many people into thinking that a 4-digit access code it sufficient in the digital world. I can assure you that it is not, and here is why.

Let's summarize some of the key security features built in to the ATM system:

  • You need a valid bank card
  • You have three attempts to enter a PIN code
  • If you are incorrect at the third attempt, you are denied the chance to try again

Now let's think of a password protected application. Maybe it's a document such as your financial records or a backup file such as a .ZIP file that is protected. When you go to open a file like this, does it first ask you to enter a card or some form of ID? No! Anyone with a copy of the file (and its not hard is it to make copies of files on a computer some of the latest viruses are designed to find certain files and post them to the internet or newsgroups) can usually have a go.

NOTE: I am generalizing here a little here. Windows NT, 200 and XP Pro do have features that make copying and opening a file on other systems much more difficult but few choose to implement this level of security.

This is the first problem. It doesn't ask the other person to verify who they are. It's the equivalent of walking up to an ATM and just entering in a PIN codes until you get one that works.

Now, even if ATMs didn't need bank cards, they still only let you try three times before they would block you. What about the file that you (or someone else) are trying to open. Does it offer this protection? No! This is another serious flaw. You can keep on trying and trying until you get it right. This sounds tedious and it is. Entering in PIN codes and passwords manually, at random, until you struck the right one would be a long, boring process. Unless the rewards were high enough, even a determined thief might give up. However, computers have make it easy to speeding things up. Using even a very basic computer and tools commonly available on the Internet it is possible to automatically try thousands of passwords a second for many different types of files that use password protection. This method of trying password automatically is called a "brute force" attack. 

Against this the humble 4-digit PIN code would be lucky to survive a second. 

Put plain and simple, a 4-digit password used to protect a file or control access to information stored on a website (such as credit card details) simply isn't enough.

Good password and bad passwords

Bad passwords fall into a few categories:

  • Password containing less than 8 characters. Below this level, a brute force attack is feasible. At this level or above, most brute force attacks would take a very long time.
  • Words directly out of a dictionary. Hackers and fraudsters have access to dictionaries and can search against entries very quickly.
  • Sequences like 000000, 1111111, abcdef, abc123, and so on. These are commonly (and unwisely) and fraudsters will try them out early.
  • Names, dates, and place names are all bad choices.

NOTE: Dictionary attacks on passwords are a very common method of attack and to search through 220,000 words in all upper and lowercase combinations could be carried out in as little as a few days.

It's not hard to choose a good password. All you need to do is follow a few simple rules.

Rules for creating good passwords

  1. A good password should be at least 8 characters long.
  2. A good password should ideally contain letters and numbers.
  3. Letters should be mixed upper and lower case.
  4. If possible, integrate symbols and punctuation into the password.
  5. Add something random to it. A couple of characters at the beginning, middle or end are ideal. This adds an extra random element to the password you create

TIP: Some good symbols to add to a password are:


NOTE: Some system may restrict some of these characters. Try them out and see if you can use them.

So, by following the four simple rules laid out above we can observe the evolution of a good password

STEP 1 - Start off with a word or a phrase. This won't be the actual password, just a handy starting point:


STEP 2 - Mix into this a few number. It's handy for remembering a password if the numbers you use resemble the letters you are replacing. 


STEP 3 - Change the case of a few of the remaining letters:


STEP 4 - Next, sprinkle in a few symbols:


Notice here how we substitute the 0 for ( and ), adding an extra character to the password, making it even better!

STEP 5 - Finally, let's add something random to it:


Even though we began with a pretty poor starting point (the word password) by applying the five simple rules to it we end up with quite a good password.

Sensible password use

Having a good password is only part of having a good defense. There are a few simple rules you have to follow to make sure your data or finances are safe.

  • Never use the same password for two different things. Have separate passwords for securing files (preferably a different password for each different application that needs one) and one for each online site that needs one. Reusing passwords weakens your security and if your password is compromised you'll have a lot of work to do changing it everywhere.
  • Never disclose a password to anyone, either verbally, on the phone of by email, not even if it appears to be a genuine request. 
  • Change high-value passwords regularly. A high-value passwords is one which, if compromised, would result in a loss to you or your company. 
  • Never write a password down.
  • Be careful about copying a password to the Windows clipboard. If you do this, copy something else to make sure it isnt easily available to the next user.
  • Never store passwords as plain text (in notepad files or as word processor documents).
  • Never rely on any default passwords you have been issued. Change them as soon as possible.
  • When using your passwords online, make sure you are using a secured website (these web addresses begin with https:// instead of http://).
  • If you have many passwords if might be a good idea to get a good program to store them in. If they are to be safe you need to make sure that you can trust the encryption that the application employs and you'll still need to remember the password to open your password file!

TIP: Many password storage applications are also capable of generating strong passwords that are made up of random characters.

Adrian Kingsley-Hughes
Last updated: May 4th 2004
Print This Page   |   Email me when this page changes    |  Search This Site System Scanner does the work for you!

Contact Us