By Kirk Schroder, Ellwood Thompson’s Food Advocate
Okay. This is not a blog related to Food or Food Advocacy. However, in the last month or so, I’ve seen an unusual number of friends in social media announcing that they’ve been hacked. So it made me wonder, what does it take to have a strong password that will avoid hackers?
Bill Burr, the former National Institute of Standards and Technology and who is regarded as the father of the modern password, in 2003, told government officials that passwords should be an entirely random string of letters and symbols (e.g. what people could not guess). However, according to a recent interview with Wall Street Journal and reported by BBC News, Burr regrets that advice and believes it is no longer a model of best practice for password protection. By recommending that online users insert random characters into their passwords, users responded by making only slight alterations, such as changing “monkey” to “monkey1”, rather than the
drastic changes of the word “protected” above. However, computers have become faster and as a result, are better at cracking even the hardest of random string letter and number passwords.
According to security expert, Bruce Schneier:
Crackers use different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. They run the dictionaries with various capitalizations and common substitutions: “$” for “s”, “@” for “a”, “1” for “l” and so on. This guessing strategy quickly breaks about
two-thirds of all passwords.
Schneier has an interesting suggestion for password protection:
My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence -- something personal.
Here are some examples:
WIw7,mstmsritt... = When I was seven, my sister threw my stuffed rabbit in the toilet.
Wow...doestcst = Wow, does that couch smell terrible.
Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.
Another common best practice is to use long passphrases rather than inserting random and obscure characters. The most current guidelines from the National Institute of Standards and Technology recommend passphrases of up to 64 characters. I suggest at least 14 characters. Another common best practice recommends only changing passwords in case of potential threat or compromise, not every 90 or even 180 days. A third and ever-increasing practice is to implement Two-Factor Authentication. This process often involves verifying your login with a passcode from your phone and is already in use by several large companies, including Amazon.
If you go online you will find many competing and contradictory opinions on password protection. The purpose of this blog is to make you proactive so that you can avoid the potential damage that a successful computer hacker can do to you.
Whatever password protection practice you decide to use, make sure you do in fact use it.