Your living
space has doors and windows, and perhaps most of the time
they’re locked. For each lock that uses a key, chances are that
each key is different. You know to lock up and not to share the
keys with strangers, and probably not with most of your friends.
You should not hide keys under the mat or in a flowerpot on your
front porch.
Passwords for computers are much the same. For each computer
and service you use (online purchasing, for example), you should
have a password. Each password should be unique and unrelated to
any of your other passwords. You shouldn’t write them down nor
should you share them with anyone, even your best friends.
Take a look
at your front door key. It’s pretty complicated. There are lots
of notches and grooves. If there weren’t so many possible
variations, a thief could easily make a key for every possible
combination and then try each on your front door. This
trial-and-error method, (for computers, called
brute
force) is likely to be effective even if it
takes a long time. Nonetheless, no matter how complicated, if
the thief gets hold of your key, he or she can copy it and use
that copy to open your door.
A password can also be complicated. Most schemes let you use
any combination of letters, both upper and lower case, and
numbers; and some also let you use punctuation marks. Lengths
can vary. You can create a password to be as complicated as you
want. The key (no pun intended) is to be able to remember this
password whenever you need it without having to write it down to
jog your memory.
Like the thief at your door, computer intruders also use
trial-and-error, or brute-force techniques, to discover
passwords. By bombarding a login scheme with all the words in a
dictionary, they may “discover” the password that unlocks it. If
they know something about you, such as your spouse’s name, the
kind of car you drive, or your interests, clever intruders can
narrow the range of possible passwords and try those first. They
are often successful. Even slight variations, such as adding a
digit onto the end of a word or replacing the letter o (oh) with
the digit 0 (zero), don’t protect passwords. Intruders know we
use tricks like this to make our passwords more difficult to
guess.
Just like the front door key, even a complicated password can
be copied and the copy reused. Remember the earlier discussion
about information on the Internet being in the clear? Suppose
that really strong password you took a long time to create – the
one that’s 14 characters long and contains 6 letters, 4 numbers,
and 4 punctuation marks, all in random order – goes across the
Internet in the clear. An intruder may be able to see it, save
it, and use it. This is called
sniffing and it is a common intruder
practice.
The point is that you need to follow the practice of using a
unique password with every account you have. Below is a set of
steps that you can use to help you create passwords for your
accounts:
- The Strong test: Is the password as strong
(meaning length and content) as the rules allow?
- The Unique test: Is the password unique and
unrelated to any of your other passwords?
- The Practical test: Can you remember it
without having to write it down?
- The Recent test: Have you changed it
recently?
In spite of the SUPR tests, you need to be aware that
sniffing happens, and even the best of passwords can be captured
and used by an intruder.
You should use passwords not only on your home computer but
also for services you use elsewhere on the Internet. All should
have the strongest passwords you can use and remember, and each
password should be unique and unrelated to all other passwords.
A strong password is a password that is longer than it is short,
that uses combinations of uppercase and lowercase letters,
numbers, and punctuation, and that is usually not a word found
in a dictionary. Also remember that no matter how strong a
password is, it can still be captured if an intruder can see it
“in the clear” somewhere on the Internet.
