IT Security
Complex passwords made easy


The password is often the first line of online defences, but is usually
very simple to crack. Neil Barrett offers some suggestions to
help users make their passwords more secure.

IT Security

Take a moment to think about your signature. If its anything like mine,
its a near-indecipherable mix of loops and lines; something that started
out being more or less legible has over the years deteriorated into a
lazy, hasty scrawl which is unique to you. And its that uniqueness which
gives your signature its validity as an identification and authentication

Now, imagine that you were foolish enough to spend days and
days carefully coaching me in how to duplicate your writing perfectly. Not
simply giving me a copy of your signature from which to work, but actively
demonstrating and critiquing my performance until I was perfect in every
way in copying it. And perhaps, just to add the icing to the cake, you
then give me your chequebook and your bank card. Until the money ran out
in your account, I could be you. Stupid? Of course. But in the online
world, that is what your password does. If I have your password, I have
your account; and if I have your account then as far as the computer is
concerned, I am you.

As a second example, imagine that you decide
to change your signature from the complex whorl of lines and scribbles, to
something made up of simple, Roman-style capital letters.Your signature
would now be one that I can easily copy; and again, I could be you as far
as the bank is concerned. This, of course, is the real-world situation
corresponding to a simple, short password such as your first name. This
happens often online.Users choose simple passwords; they share them with
one another or, if the password is difficult or is forced on them, they
write it down. Passwords form the first and best line of defence against
“identity theft”, but are almost universally misused.

To be
effective, the password must be something which is hard to duplicate and
must be private, like the way you write your signature. There are some
simple, easily remembered ways in which passwords can be made much more
effective. A successful password must be complicated but memorable; for
added security, a different password should be used for different services
– one for Hotmail, another for the network.My passwords have two
components: a common core phrase, alongside a mnemonic for the service to
which it is applied. It has numbers, punctuation marks and a mix of upper
and lower cases. It would take years to reproduce through brute force, but
remains something that I can remember and reproduce quickly.

example, say the core phrase is “bedtime”; I can write this as 9beD!tiMe#.
This is hard to reproduce. For Hotmail, it might be hot9beD!tiMe#mail; for
the network, net9beD!tiMe#work – subject to any password length
restrictions. The result is a password I can remember but which is very
hard to reproduce; nearly as good as the scrawl on my bank card.