Password Protection For the Real World

You know them, you love them, you may not remember them… but love them: passwords! They prevent access to sensitive information, discourage theft, or simply identify users. You can use passwords to prevent others from accessing a piece of hardware (like a computer or an alarm system), software or data (like an accounting program or a webpage), or even a physical space (like a room protected by a lock with a number pad). The important thing to remember is that all passwords are not created equal.

OK as a security geek I’m obliged to tell you to use only 50 character passwords and remember all of your passwords before eating the pieces of paper you write them down on. I know at least one of you don’t always do that. For you here’s an alternative: Use realistic passwords based on the accounts you use.

The first step is to determine what kind of service you are creating a password for. There are roughly three types of password strengths to be concerned about.

Level 1. Nuisance Passwords

Do you really care if a hacker uses your bad password to change your news site preferences from entertainment to weather??? Oooh spooky! For accounts that you really don’t consider private use a single easy to remember password. These are considered nuisance logins. Good examples of nuisance logins are:

  • Newspapers and other online content.
  • Member sites that charge for access such as online article databases
  • Online communities that don’t require detailed privacy information
  • Sites that displays your password as cleartext rather than asterisks or bullets.

If the site offers to store your credit card information, consider it a Sensitive password and use a strong password.

Level 2. Private Passwords

For private matters that aren't life-or-death, but you want to keep to yourself use a Level 2/Private password a level 2 password should have:

  • A length of 9 characters ;or greater.

  • The password must contain a letter.

  • The password must contain a number.

Passwords you should be able to keep to yourself include:

  • Your email accounts
  • Novell or your desktop
  • my.pcc.edu

Level Highly Sensitive Passwords

Your last password category is for really sensitive stuff. This could be your most sensitive personal information or accounts that contain other people’s information. For these accounts use a pass phrase or advanced keyboard patterns. These passwords guard your most precious accounts, make them strong:

  • A length of 12 characters or more.

  • It must contain an upper and lower case letter.

  • It must contain a number.

  • It should have a special character (e.g. *&%$#)

  • Not be blatantly obvious: "password", "PCCuser", "PCC123", or your user name.

It’s someone’s identity you are protecting; how far will you protect it?

Passwords you should be able to keep to yourself include:

  • BANNER
  • Accounts that contain information that would make an attractive identity theft target (SSN, licenses numbers, health information, education records)
  • Your financial accounts
  • Your insurance/health related sites

How to do it:

Passphrase

Create a sentence you'll remember, and use the first letter of each word in that sentence to create your password. For example, "I love green peas and beans" would become "Ilgpab." To make the password stronger you could change the "i" to a "1," the "a" to "&," and vary the case to create "11GP&B."

For a great video on passphrase creation check out "Bud Logs In"

Advanced Keyboard Pattern

Put your hands on the keyboard, and move your fingers in a particular pattern to pick out a set of characters for your password. To create different passwords, you can either create a completely new pattern or apply the same pattern to a different section of the keyboard (some people find it easier to remember their hand movements than the characters they actually chose).

After you've created a strong password, use three suggestions below to keep it safe:

  • Never share your password with anyone: You put both you and whoever you shared the password with at risk. Case in point: if you give ME your password and anything goes wrong with your computer/account "You did it!..."
  • Don’t save your password if prompted by your browser or any other programs: You can turn this option off in your browser to prevent someone using your system to access sensitive accounts.
  • Change your password at least every six months: The more frequently you do this, the less chance there is of someone cracking it.
  • Never send your password in email, even if the request looks official: Not only is it something the College doesn’t do (see the first suggestion in this list), but such requests are probably phishing attempts.
  • Consider using a Passphrase (or password) vault. Rather than compromising security by physically writing the phrases down or saving in a browser, you can employ passphrase vaulting to store all the phrases behind one secure, but easily remembered, passphrase. Here are two versions

KeePass Password Safe - Windows

Mac OS X Keychain - Mac OS

Eventually, I will add a page on the intranet where you can test your password strength. There are sites on the web that let you do that but please don’t use your real password to test it.